vite-plugin-static-copy Directory Traversal Vulnerability Allowing Arbitrary File Access

A directory traversal vulnerability has been identified in vite-plugin-static-copy, a Vite plugin that supports file copying with development server integration. This issue allows access to files not included in the 'src' directory through a crafted request. The vulnerability affects versions 3.0.0 through 3.1.1 and 0.4.3 through 2.3.1. It is important to note that only applications exposing the Vite development server to the network are vulnerable. The issue has been fixed in versions 2.3.2 and 3.1.2.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of arbitrary files from the server's filesystem.

Reproduction

To reproduce this vulnerability, first, create a Vite project and install the vite-plugin-static-copy plugin. In the vite.config.ts file, configure the plugin to copy files from the public/images directory to the root directory. Then, run the Vite development server, ensuring it is accessible over the network. Once the server is running, send a request to the server that includes a path traversal sequence, such as '../../../../../etc/passwd'. The response will include the contents of the requested file, demonstrating the vulnerability.

Remediation

Users can upgrade to vite-plugin-static-copy version 2.3.2 or 3.1.2 to address this vulnerability.