Vite Path Traversal Vulnerability in Source Map Handling

A path traversal vulnerability has been identified in Vite, a frontend tooling framework for JavaScript. This issue affects versions 6.0.0 prior to 6.4.2, as well as 7.0.0 through 7.3.1, and version 8.0.0 prior to 8.0.5. The vulnerability arises in the dev server's management of .map requests for optimized dependencies, where file paths are resolved and readFile is called without properly restricting ../ segments in the URL. Consequently, it is possible to bypass the server.fs.strict allow list and access .map files located outside the project root, provided these files can be parsed as valid source map JSON. This vulnerability is particularly concerning for applications that expose the Vite dev server to the network and have sensitive content in .map files with predictable paths.

Impact

Exploitation of this vulnerability allows for unauthorized access to .map files outside the project root, potentially leading to the exposure of sensitive information contained within those files.

Reproduction

To reproduce this vulnerability, first create a .map file with a valid source map structure and place it outside the project root. Then, start the Vite dev server with the --host option to expose it to the network. After confirming that access to the @fs prefix is blocked by the strict option, inject ../ segments into the .map request URL for optimized dependencies to traverse the file system and retrieve the PoC .map file.

Remediation

Users can upgrade to Vite versions 6.4.2, 7.3.2, or 8.0.5, where this vulnerability has been fixed.