Vite Server.fs.deny Bypass Vulnerability on Windows

A vulnerability in Vite allows files denied by the server.fs.deny option to be accessed when the development server is running on Windows. This issue affects Vite versions 2.9.18 prior to 3.0.0, 3.2.9 prior to 4.0.0, 4.5.3 prior to 5.0.0, 5.2.6 prior to 5.4.21, 6.0.0 prior to 6.4.1, 7.0.0 prior to 7.0.8, and 7.1.0 prior to 7.1.11. The vulnerability arises because the server.fs.deny option, which is meant to restrict access to certain files, can be bypassed by appending a backslash to the file name in the request URL. This behavior occurs because the file loading mechanism does not properly handle trailing slashes, allowing denied files to be served instead.

Impact

Exploiting this vulnerability can lead to unauthorized access to sensitive files that are meant to be denied by the server.fs.deny configuration. This could include environment files or other confidential data, depending on the application's file structure.

Reproduction

To reproduce this vulnerability, create a new Vite project and add a file named '.env' in the project's root directory. Start the Vite development server, ensuring it is exposed to the network and running on a Windows machine. Then, send a request for the '.env' file using a backslash at the end of the request URL. The server will respond with the contents of the denied file, demonstrating the bypass.

Remediation

Users can update to Vite versions 5.4.21, 6.4.1, 7.0.8, or 7.1.11 to address this vulnerability.