How the CVE Works
Vite’s `server.fs.deny` mechanism is designed to restrict access to sensitive files (e.g., .env, .git, certificates) in development mode. However, versions before the patched releases fail to properly sanitize path traversal sequences. An attacker can bypass these restrictions by appending `/.` to a denied path (e.g., /.env/.), allowing unauthorized file reads under the project root. This affects applications where the Vite dev server is exposed to the network (--host or `server.host` enabled). The vulnerability stems from improper path normalization, permitting malicious actors to retrieve files that should be blocked.
DailyCVE Form:
Platform: Vite
Version: <=6.3.3, <=6.2.6, <=6.1.5, <=5.4.18, <=4.5.13
Vulnerability: Directory Traversal
Severity: Critical
Date: May 2, 2025
What Undercode Say:
Exploitation:
curl http://vite-dev-server:5173/.env/.
Mitigation:
npm update vite --save
Detection (Check Version):
npm list vite
Patch Analysis:
Vite 6.3.4+ enforces strict path normalization, rejecting `/.` sequences.
Code Fix (Custom Middleware):
server.middlewares.use((req, res, next) => {
if (req.url.includes('/.')) {
res.status(403).end();
} else next();
});
Network Restriction:
vite --host 127.0.0.1 Disable public exposure
Log Monitoring:
grep -r "access denied" /var/log/vite.log
Impact Verification:
fetch('/.git/HEAD/.').then(res => console.log(res.status));
DevSecOps Integration:
CI/CD step - name: Audit Vite run: npm audit --production
Alternative Workaround:
// vite.config.js
export default {
server: {
fs: {
strict: true
}
}
}
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
