2273531 – (CVE-2024-31207) CVE-2024-31207 vitejs: "server.fs.deny" configuration does not deny requests that include patterns

Bug 2273531 (CVE-2024-31207) - CVE-2024-31207 vitejs: "server.fs.deny" configuration does not deny requests that include patterns

Summary: CVE-2024-31207 vitejs: "server.fs.deny" configuration does not deny requests ...

Keywords:
Status:	NEW
Alias:	CVE-2024-31207
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2273528
TreeView+	depends on / blocked

Reported:	2024-04-04 20:59 UTC by Robb Gatica
Modified:	2024-04-16 11:13 UTC (History)
CC List:	45 users (show)
Fixed In Version:	vite 5.2.6, vite 5.1.7, vite 5.0.13, vite 4.5.3, vite 3.2.10, vite 2.9.18
Doc Type:	---
Doc Text:	A flaw was found in the Node.js Vite package. When configuring the "server.fs.deny" server option to deny requests that include a pattern with directories such as /foo/*/, the requests were still being allowed. This can potentially expose files or directories containing sensitive information. Only apps setting a custom "server.fs.deny" that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using --host or server.host config option are affected.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-04-04 20:59:17 UTC

Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18. Note: Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected

https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0
https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48
https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67
https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9
https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258
https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649
https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
boliveir
brian.stansberry
cdewolf
chazlett
darran.lofthouse
davidn
dkreling
dosoudil
dpalmer
drichtar
epacific
fjuma
ivassile
iweiss
jcammara
jhardy
jneedle
jobarker
lgao
mabashia
mosmerov
msochure
mstefank
msvehla
mulliken
nwallace
osapryki
pdrozd
peholase
pjindal
pmackay
pskopek
rowaters
rstancel
simaishi
smaestri
smcdonal
sthorger
teagle
tom.jenkinson
yguenane
zsadeh