Skip to content

[Security] Bump vite from 5.0.11 to 5.0.12

Dependabot requested to merge dependabot-npm_and_yarn-vite-5.0.12 into master

Bumps vite from 5.0.11 to 5.0.12. This update includes a security fix.

Vulnerabilities fixed

Vite dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

  1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.

... (truncated)

Patched versions: 5.0.12 Affected versions: >= 5.0.0, <= 5.0.11

Changelog

Sourced from vite's changelog.

5.0.12 (2024-01-19)

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports