-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| vite | npm | >= 2.7.0, <= 2.9.17 | 2.9.18 |
| vite | npm | >= 3.0.0, <= 3.2.8 | 3.2.10 |
| vite | npm | >= 4.0.0, <= 4.5.2 | 4.5.3 |
| vite | npm | >= 5.0.0, <= 5.0.12 | 5.0.13 |
| vite | npm | >= 5.1.0, <= 5.1.6 | 5.1.7 |
| vite | npm | >= 5.2.0, <= 5.2.5 | 5.2.6 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability stems from two key elements in static.ts: 1) The isFileServingAllowed() function's pattern matching implementation using problematic picomatch options, and 2) The _matchOptions configuration that enabled matchBase mode. The commit diff shows these were the specific elements modified in the patch - changing matchBase to false, adding dot: true, and modifying pattern handling. These changes directly address the documented issue where directory patterns in fs.deny were ineffective due to basename-only matching.
Ongoing coverage of React2Shell