Listen to this Post
The CVE-2025-45431 vulnerability in Vite involves a path normalization flaw specific to Windows. The `server.fs.deny` configuration is designed to block access to sensitive files. However, due to inconsistent path handling, when a request URL ends with a backslash (\), the normalization logic fails. This allows an attacker to bypass the deny list. For example, a request for `/.env\` is not correctly matched against the deny pattern for /.env. The underlying `fs.readFile` function on Windows resolves this path to the `.env` file, successfully reading and returning its contents, thus exposing sensitive data that should have been protected.
DailyCVE
Platform: Vite
Version: 2.9.18-5.4.20
Vulnerability: Path Bypass
Severity: Moderate
date: 2024-10-20
Prediction: 2024-10-27
What Undercode Say:
curl http://localhost:5173/.env\
// server.fs.deny bypass
const fs = require('fs');
fs.readFile('C:\project.env\');
How Exploit:
Craft HTTP GET requests for denied files (e.g., /.env\, /secret.pem\) on a Windows-hosted Vite dev server.
Protection from this CVE
Update to patched versions: 7.1.11, 7.0.8, 6.4.1, or 5.4.21.
Impact:
Unauthorized file disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
