Описание
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
A path traversal vulnerability has been identified in Vite’s static file serving logic, where files outside of the intended public directory may be served if their names share the same prefix or if symlinks are used to traverse upwards in the filesystem. An attacker could exploit this by placing a symlink inside the public directory that points to sensitive files elsewhere on the host and then requesting crafted paths to read those files.
Отчет
Red Hat Customers should be aware that the underlying vulnerability originates in the sirv package, which is responsible for serving static files. Vite uses sirv internally to serve content during development, which means projects using Vite were also exposed to the issue. While sirv is technically the component containing the flaw, the upstream Vite project issued the CVE/advisory because the impact was most visible and widespread through Vite’s ecosystem. In practice, this means that both direct consumers of sirv and Vite users are affected, but the CVE was filed under Vite Project by it's maintainers. This vulnerability is rated Low severity because exploitation requires several specific conditions: the Vite dev server must be exposed to the network (via --host or server.host), the application must use the public directory feature, and a symlink must exist inside that public directory to point to the target. These conditions make exploitation unlikely in typical production environments, and the impact is limited to disclosure of files outside the intended directory. The vulnerability does not permit code execution, file modification, or denial of service.
Меры по смягчению последствий
- Avoid exposing the Vite dev server (--host / server.host) to untrusted networks.
- Do not allow symlinks inside the public directory that reference files outside of it.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | io.cryostat-cryostat | Fix deferred | ||
| Gatekeeper 3 | gatekeeper/gatekeeper-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | mtv-candidate/mtv-console-plugin-rhel9 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Fix deferred | ||
| Multicluster Global Hub | multicluster-globalhub/multicluster-globalhub-grafana-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-cni-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-must-gather-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-pilot-rhel9 | Fix deferred | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-proxyv2-rhel9 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
3.7 Low
CVSS3
Связанные уязвимости
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Vite is a frontend tooling framework for JavaScript. Prior to versions ...
Vite middleware may serve files starting with the same name with the public directory
3.7 Low
CVSS3