Описание
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use appType: 'spa' (default) or appType: 'mpa' are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
A path traversal / static-file serving bypass vulnerability has been identified in Vite’s static file server, where HTML files located outside the configured root or deny/allow lists may be served even when server.fs settings (such as deny) are used. An attacker can exploit this by requesting HTML files (via paths using .. or similar) that should be blocked, but are returned because the middleware chain falls back to HTML-fallback and index HTML handlers which do not enforce the file system restrictions.
Отчет
This issue is rated Low severity as it only allows unintended disclosure of HTML files and does not impact system integrity or availability. Exploitation requires specific conditions: the application must explicitly expose the Vite dev server to the network (via --host or server.host), and must be configured as appType: 'spa' (default) or appType: 'mpa'. The vulnerability also affects the preview server, which may serve HTML files outside of the designated output directory.
Меры по смягчению последствий
- Avoid exposing the dev or preview server to untrusted networks.
- Disable or restrict HTML fallback handlers if possible.
- Carefully review server.fs.allow / server.fs.deny settings to minimize exposure.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | automation-controller | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | automation-eda-controller | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | automation-gateway | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform 8 | org.keycloak-keycloak-parent | Fix deferred | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.keycloak-keycloak-parent | Fix deferred | ||
| Red Hat OpenShift Dev Spaces | devspaces/traefik-rhel9 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-agent-rhel8 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-all-in-one-rhel8 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-collector-rhel8 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-es-index-cleaner-rhel8 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Vite is a frontend tooling framework for JavaScript. Prior to versions ...
EPSS
3.7 Low
CVSS3