Vite+ Path Traversal Vulnerability in Package Manager Download Function

A path traversal vulnerability has been identified in Vite+ versions prior to 0.1.17. The issue arises in the `downloadPackageManager()` function within the `vite-plus/binding` module, where an untrusted `version` string is accepted and used directly in filesystem paths. This allows a caller to manipulate the version input with `../` segments or absolute paths to escape the designated cache root and execute unauthorized file operations outside of the intended directory. Exploitation of this vulnerability could lead to deletion, replacement, or unauthorized population of directories beyond the Vite+ cache location.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the intended Vite+ installation root, potentially overwriting critical files or directories. This could disrupt normal operations or, in some cases, be leveraged for more malicious purposes, such as executing unauthorized code.

Reproduction

The vulnerability can be reproduced by importing the `downloadPackageManager()` function from the `vite-plus/binding` module` and calling it with a crafted version string that includes traversal sequences. This bypasses the normal version validation and exploits the function's direct use of the untrusted input in file paths. The exploitation can be automated with a script that sets up a local server to serve a malicious package, which Vite+ will download and install in an escaped directory, outside of its normal cache location.

Remediation

Users should update to Vite+ version 0.1.17 or later, where this vulnerability has been patched.