Skip to content

[Security] Bump vite from 3.2.5 to 3.2.7

Dependabot requested to merge dependabot-npm_and_yarn-vite-3.2.7 into master

Bumps vite from 3.2.5 to 3.2.7. This update includes a security fix.

Vulnerabilities fixed

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}'])

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

Patches

Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16

Details

Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.

PoC

  1. Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
  2. Serve the application on dev mode using pnpm run dev.
  3. Directly access the file from url using double forward-slash (//) (e.g: //.env, //.env.local)
  4. Server Options fs.deny restrict successfully bypassed.

Proof Images:

... (truncated)

Patched versions: 3.2.7 Affected versions: >= 3.0.2, < 3.2.7

Changelog

Sourced from vite's changelog.

3.2.7 (2023-05-26)

3.2.6 (2023-04-18)

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports