How the CVE Works
CVE-2023-34092 exploits improper request validation in Vite’s development server when running on Node.js or Bun. The vulnerability arises due to mishandling of the character in HTTP request targets, which violates HTTP/1.1 (RFC 9112). Attackers can craft malicious requests containing to bypass `server.fs.deny` restrictions, leading to arbitrary file disclosure (e.g., /etc/passwd). Node and Bun incorrectly forward such malformed requests to userland applications, while Deno sanitizes them. The flaw allows unauthorized access to sensitive files if the dev server is exposed to the network.
DailyCVE Form
Platform: Vite (Node/Bun)
Version: <5.0.0
Vulnerability: Directory Traversal
Severity: Critical
Date: 2023-08-22
What Undercode Say:
Exploitation:
1. Craft Malicious Request:
curl --request-target "/@fs/.../../../../../etc/passwd" http://vite-server:5173
2. Bypass `server.fs.deny`:
The “ tricks Vite into ignoring path traversal checks.
Protection:
1. Patch: Upgrade to Vite ≥5.0.0.
2. Network Restriction: Avoid exposing dev server (`–host`).
3. Runtime Enforcement: Use Deno for dev servers.
Detection:
grep -r "server.fs.deny" /path/to/vite/config
Mitigation Code:
// vite.config.js
export default {
server: {
fs: {
strict: true,
deny: ['.env', '.key']
}
}
}
Analytics:
- Attack Vector: Network (HTTP)
- Complexity: Low (PoC public)
- CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
References:
References:
Reported By: https://github.com/advisories/GHSA-356w-63v5-8wf4
Extra Source Hub:
Undercode
