Vite HTML File Serving Vulnerability Bypassing `server.fs` Restrictions

A vulnerability in Vite's handling of HTML files can lead to unintended file serving, bypassing specified `server.fs` settings. This issue affects Vite versions 7.1.0 prior to 7.1.5, 7.0.0 prior to 7.0.7, 6.0.0 prior to 6.3.6, and 5.4.19 and earlier. The vulnerability arises when the Vite development server is exposed to the network and configured as a single-page application (SPA) or multi-page application (MPA). Under these conditions, HTML files located outside the project's root directory can be served, including those in the system's temporary files.

Impact

Exploitation of this vulnerability allows for the serving of arbitrary HTML files from the machine, regardless of the configured file serving restrictions. This could lead to the exposure of sensitive information or files that should not be accessible through the Vite server.

Reproduction

To reproduce this vulnerability, create a new Vite project and expose the development server to the network. After starting the server, use `curl` to request an HTML file from the system's temporary directory. The contents of the file will be returned, demonstrating the vulnerability. Additionally, HTML files can be served from within the project's directory, even if they are not explicitly allowed by the Vite server's file serving configuration.

Remediation

Users can update to Vite versions 7.1.5, 7.0.7, 6.3.6, or 5.4.20, where this vulnerability has been fixed.