TinaCMS CLI Vite Configuration Vulnerability Allowing Arbitrary File Read

A vulnerability in the TinaCMS CLI dev server prior to version 2.1.8 allows unauthenticated attackers to read arbitrary files from the host system. This issue arises because the dev server disables Vite's built-in filesystem access restrictions, enabling file access through Vite's default static file handler. The vulnerability can be exploited by any attacker who can reach the dev server, particularly in environments where the server port is publicly accessible or via DNS rebinding attacks.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files on the host system, including sensitive files such as /etc/passwd, /etc/shadow, SSH private keys, and environment variables containing secrets. This vulnerability could also be exploited to access cloud credentials and API keys from configuration files.

Reproduction

To reproduce this vulnerability, run the TinaCMS CLI dev server with the command 'tinacms dev'. The server will start on the default port 4001, with Vite configured to allow unrestricted filesystem access. Once the server is running, an unauthenticated attacker can send requests to port 4001 to access sensitive files on the host system, such as /etc/passwd or /etc/hostname.

Remediation

Users can upgrade to TinaCMS version 2.1.8 or later, where this vulnerability has been fixed.