Improper Access Control Affecting vite package, versions >=2.7.0 <2.9.18 >=3.0.0 <3.2.10 >=4.0.0 <4.5.3 >=5.0.0 <5.0.13 >=5.1.0 <5.1.7 >=5.2.0 <5.2.6
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-VITE-6531286
- published 4 Apr 2024
- disclosed 3 Apr 2024
- credit jtmcdole
How to fix?
Upgrade vite to version 2.9.18, 3.2.10, 4.5.3, 5.0.13, 5.1.7, 5.2.6 or higher.
Overview
vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through server.fs.deny configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests.
Note:
Only apps setting a custom server.fs.deny that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
PoC
Set fs.deny to ['**/.git/**'] and then curl for /.git/config.
with matchBase: true, you can get any file under .git/ (config, HEAD, etc).