Vite Arbitrary File Read Vulnerability via Inline and Raw Import Queries

A vulnerability in Vite, a frontend tooling framework for JavaScript, allows the exposure of non-allowed files' contents through the Vite dev server. This issue affects versions 6.2.0 through 6.2.3, 6.1.0 through 6.1.2, 6.0.0 through 6.0.12, 5.0.0 through 5.4.15, and 4.5.10 and prior. The vulnerability arises when the dev server is explicitly exposed to the network, using the '--host' option or the 'server.host' configuration. Exploitation is achieved by appending specific query parameters to the request, which bypasses Vite's file serving restrictions and allows access to arbitrary files, such as system files.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive file contents, including potentially critical system files, depending on the application's context and the files accessed.

Reproduction

To reproduce this vulnerability, create a new Vite project and expose the development server to the network by using the '--host' option or by configuring 'server.host' to allow external access. Once the server is running, send a request to the Vite dev server with the 'raw?import' or 'inline?import' query parameters, targeting a file outside the allowed directory. The response will include the contents of the requested file, demonstrating the vulnerability.

Remediation

Users can upgrade to Vite versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11 to address this vulnerability.