vite@4.3.9 vulnerabilities

Native-ESM powered web dev build tool

latest version

5.2.9
latest non vulnerable version

6.0.0-alpha.2
first published

4 years ago
latest version published

3 days ago
licenses detected
- MIT
  >=0
View vite package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Improper Access Control vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through `server.fs.deny` configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests. Note: Only apps setting a custom `server.fs.deny` that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using `--host` or server.host config option) are affected. How to fix Improper Access Control? Upgrade `vite` to version 2.9.18, 3.2.10, 4.5.3, 5.0.13, 5.1.7, 5.2.6 or higher.	>=2.7.0 <2.9.18 >=3.0.0 <3.2.10 >=4.0.0 <4.5.3 >=5.0.0 <5.0.13 >=5.1.0 <5.1.7 >=5.2.0 <5.2.6
H Access Control Bypass vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Access Control Bypass via the `server.fs.deny` option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows. How to fix Access Control Bypass? Upgrade `vite` to version 2.9.17, 3.2.8, 4.5.2, 5.0.12 or higher.	>=2.7.0 <2.9.17 >=3.0.0 <3.2.8 >=4.0.0 <4.5.2 >=5.0.0 <5.0.12

Improper Access Control

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through server.fs.deny configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests.

Note:

Only apps setting a custom server.fs.deny that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

How to fix Improper Access Control?

Upgrade vite to version 2.9.18, 3.2.10, 4.5.3, 5.0.13, 5.1.7, 5.2.6 or higher.

>=2.7.0 <2.9.18 >=3.0.0 <3.2.10 >=4.0.0 <4.5.3 >=5.0.0 <5.0.13 >=5.1.0 <5.1.7 >=5.2.0 <5.2.6

Access Control Bypass

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows.

How to fix Access Control Bypass?

Upgrade vite to version 2.9.17, 3.2.8, 4.5.2, 5.0.12 or higher.

>=2.7.0 <2.9.17 >=3.0.0 <3.2.8 >=4.0.0 <4.5.2 >=5.0.0 <5.0.12

Go back to all versions of this package

vite@4.3.9 vulnerabilities

Native-ESM powered web dev build tool

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities