5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-31207

GHSA ID

GHSA-8jhw-289h-jh2g

EPSS Score

0.29094%

CWE

CWE-200

Published

4/3/2024

Updated

4/4/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-31207

CVE-2024-31207: Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-31207

GHSA ID

GHSA-8jhw-289h-jh2g

EPSS Score

0.29094%

CWE

CWE-200

Published

4/3/2024

Updated

4/4/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vite	npm	>= 2.7.0, <= 2.9.17	2.9.18
vite	npm	>= 3.0.0, <= 3.2.8	3.2.10
vite	npm	>= 4.0.0, <= 4.5.2	4.5.3
vite	npm	>= 5.0.0, <= 5.0.12	5.0.13
vite	npm	>= 5.1.0, <= 5.1.6	5.1.7
vite	npm	>= 5.2.0, <= 5.2.5	5.2.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key elements in static.ts: 1) The isFileServingAllowed() function's pattern matching implementation using problematic picomatch options, and 2) The _matchOptions configuration that enabled matchBase mode. The commit diff shows these were the specific elements modified in the patch - changing matchBase to false, adding dot: true, and modifying pattern handling. These changes directly address the documented issue where directory patterns in fs.deny were ineffective due to basename-only matching.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry [Vit* **v s*rv*r option](*ttps://vit*js.**v/*on*i*/s*rv*r-options.*tml#s*rv*r-*s-**ny) `s*rv*r.*s.**ny` *i* not **ny r*qu*sts *or p*tt*rns wit* *ir**tori*s. *n *x*mpl* o* su** * p*tt*rn is `/*oo/**/*`. ### Imp**t Only *pps s*ttin* * *ust

Reasoning

T** vuln*r**ility st*ms *rom two k*y *l*m*nts in `st*ti*.ts`: *) T** `is*il*S*rvin**llow**()` *un*tion's p*tt*rn m*t**in* impl*m*nt*tion usin* pro*l*m*ti* pi*om*t** options, *n* *) T** `_m*t**Options` *on*i*ur*tion t**t *n**l** m*t****s* mo**. T** *o

5.9

Basic Information

Concerned about an active attack path?

CVE-2024-31207: Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary

Impact

Patches

Details

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI