Описание
vite-plugin-static-copy files not included in src are possible to access with a crafted request
Summary
Files not included in src was possible to access with a crafted request.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Arbitrary files can be disclosed by exploiting this vulnerability.
Details
Consider the following configuration in used by vite.config.ts:
The files under the ./public/images is only expected to be served. Abusing this vulnerability, an attacker can access arbitrary files on the filesystem.
PoC
I've attached a demo app to showcase the bug.
Run it with npm run dev and issue the following HTTP request
OR
Observe that the /etc/passwd file is included in the response.
Ссылки
- https://github.com/sapphi-red/vite-plugin-static-copy/security/advisories/GHSA-pp7p-q8fx-2968
- https://nvd.nist.gov/vuln/detail/CVE-2025-57753
- https://github.com/sapphi-red/vite-plugin-static-copy/commit/0bc6b49ed72b46eecfc9682045f4b46a19694969
- https://github.com/sapphi-red/vite-plugin-static-copy/commit/4627afb8582083eab733881d3d974e1c1f23997d
- https://github.com/sapphi-red/vite-plugin-static-copy/releases/tag/vite-plugin-static-copy%402.3.2
- https://github.com/sapphi-red/vite-plugin-static-copy/releases/tag/vite-plugin-static-copy%403.1.2
Пакеты
vite-plugin-static-copy
>= 3.0.0, <= 3.1.1
3.1.2
vite-plugin-static-copy
>= 0.4.3, <= 2.3.1
2.3.2
Связанные уязвимости
vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2.
vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2.