Vite Public Directory File Serving Bypass Vulnerability

A vulnerability in Vite, a frontend tooling framework for JavaScript, allows files in the public directory to be served inappropriately, bypassing the intended file system restrictions. This issue affects Vite versions prior to 7.1.5, 7.0.7, 6.3.6, and 5.4.20. The vulnerability arises when the Vite development server is exposed to the network, the public directory feature is enabled, and a symbolic link exists within the public directory.

Impact

Exploitation of this vulnerability allows for directory traversal, where an attacker can access files outside the intended directory, including those marked as private.

Reproduction

To reproduce this vulnerability, create a new Vite project and navigate to the project directory. In the public directory, create a symbolic link. Then, modify the Vite configuration to use the public directory feature and deny access to certain files. When the Vite development server is running, the symbolic link will cause the publicFiles variable to be undefined, allowing for files to be served without the proper restrictions. Finally, use a tool like curl to request a file that should be denied, but is instead served due to the vulnerability.

Remediation

Users can upgrade to Vite versions 7.1.5, 7.0.7, 6.3.6, or 5.4.20 to address this vulnerability.