Vite Server.fs.deny Bypass Vulnerability Allowing Access to Denied Files

A vulnerability exists in Vite versions 7.1.0 prior to 7.3.2 and 8.0.5, allowing files meant to be blocked by the server.fs.deny option, such as .env and *.crt files, to be accessed through the Vite development server. This issue arises when the server is exposed to the network and the sensitive files are located in directories permitted by the server.fs.allow option. Exploitation involves appending specific query parameters to the request, which can bypass the denial and return the file contents with an HTTP 200 response.

Impact

Exploitation of this vulnerability could lead to the unintentional exposure of sensitive files, such as environment variables or certificate files, through the Vite development server.

Reproduction

To reproduce this vulnerability, start the Vite development server with the --host option to expose it to the network. Ensure that the server.fs.deny option is properly configured to block access to sensitive files, and that those files are located in directories allowed by the server.fs.allow option. Once the server is running, verify that the denial is enforced by attempting to access a blocked file, which should return a 403 response. Then, repeat the request with the appropriate query parameters that bypass the denial, such as ?raw or ?import&raw, and confirm that the file can be retrieved successfully.

Remediation

Users can upgrade to Vite version 7.3.2 or 8.0.5, both of which address this vulnerability.