Headline
GHSA-859w-5945-r5v3: Vite's server.fs.deny bypassed with /. for files under project root
Summary
The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.
- Examples of file matching patterns:
.env,.env.*,*.{crt,pem},**/.env - Examples of other patterns:
**/.git/**,.git/**,.git/**/*
Details
server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).
PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173
Summary
The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.
- Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
- Examples of other patterns: /.git/, .git/, .git//*
Details
server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).
PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173
References
- GHSA-859w-5945-r5v3
- vitejs/vite@c22c43d