Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-23331

HIGH
Published 2024-01-19T19:43:17.404Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-23331. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
7.5
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.004
probability
of exploitation in the wild

There is a 0.4% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.578
Higher than 57.8% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
NONE
Availability
NONE

Description

Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in [email protected], [email protected], [email protected], and [email protected]. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

vitejs

vite

Affected Versions:

>=2.7.0, < 2.9.17 >=3.0.0, <3.2.8 >=4.0.0, < 4.5.2 >=5.0.0, < 5.0.12

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

GHSA-c24v-8rfc-w8vw

Advisory Details

### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. ### Patches Fixed in [email protected], [email protected], [email protected], [email protected] ### Details Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See `picomatch` usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632 By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. ### PoC **Setup** 1. Created vanilla Vite project using `npm create vite@latest` on a Standard Azure hosted Windows 10 instance. - `npm run dev -- --host 0.0.0.0` - Publicly accessible for the time being here: http://20.12.242.81:5173/ 2. Created dummy secret files, e.g. `custom.secret` and `production.pem` 3. Populated `vite.config.js` with ```javascript export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } } ``` **Reproduction** 1. `curl -s http://20.12.242.81:5173/@fs//` - Descriptive error page reveals absolute filesystem path to project root 2. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js` - Discoverable configuration file reveals locations of secrets 3. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT` - Secrets are directly accessible using case-augmented version of filename **Proof** ![Screenshot 2024-01-19 022736](https://user-images.githubusercontent.com/907968/298020728-3a8d3c06-fcfd-4009-9182-e842f66a6ea5.png) ### Impact **Who** - Users with exposed dev servers on environments with case-insensitive filesystems **What** - Files protected by `server.fs.deny` are both discoverable, and accessible

Affected Packages

npm vite
ECOSYSTEM: ≥2.7.0 <2.9.17
npm vite
ECOSYSTEM: ≥3.0.0 <3.2.8
npm vite
ECOSYSTEM: ≥4.0.0 <4.5.2
npm vite
ECOSYSTEM: ≥5.0.0 <5.0.12

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

WEB https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-34092
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-23331
WEB https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691
WEB https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
WEB https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278
WEB https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb
PACKAGE https://github.com/vitejs/vite
WEB https://vitejs.dev/config/server-options.html#server-fs-deny

Advisory provided by GitHub Security Advisory Database. Published: January 19, 2024, Modified: January 19, 2024

References

https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
https://vitejs.dev/config/server-options.html#server-fs-deny
Published: 2024-01-19T19:43:17.404Z
Last Modified: 2025-06-17T21:19:25.323Z
Copied to clipboard!