Cloudflare Vite Plugin Sensitive File Exposure Vulnerability

A vulnerability in the Cloudflare Vite plugin allows sensitive files to be accessed through the local development server. This issue affects versions prior to 1.6.0 of the plugin. The vulnerability arises because the default configuration of the plugin exposes all files, including those in the root directory that contain secret information such as .env and .dev.vars files.

Impact

The vulnerability could lead to unauthorized access to sensitive information, such as environment variables and project dependencies, which could be exploited to compromise the application or its data.

Reproduction

To reproduce this vulnerability, create a Workers project using the Cloudflare Vite plugin. Add secret files, such as .env or .dev.vars, and run the development server. The exposed files can be accessed through the local server, which may be shared publicly via cloudflared, revealing the secrets to the internet.

Remediation

Users can update to version 1.6.0 or later of the Cloudflare Vite plugin, which addresses this vulnerability by restricting access to sensitive files.