CVE-2024-31207: Vite's `server.fs.deny` did not deny requests for patterns with directories.
5.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29094%
CWE
Published
4/3/2024
Updated
4/4/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| vite | npm | >= 2.7.0, <= 2.9.17 | 2.9.18 |
| vite | npm | >= 3.0.0, <= 3.2.8 | 3.2.10 |
| vite | npm | >= 4.0.0, <= 4.5.2 | 4.5.3 |
| vite | npm | >= 5.0.0, <= 5.0.12 | 5.0.13 |
| vite | npm | >= 5.1.0, <= 5.1.6 | 5.1.7 |
| vite | npm | >= 5.2.0, <= 5.2.5 | 5.2.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key elements in static.ts: 1) The isFileServingAllowed() function's pattern matching implementation using problematic picomatch options, and 2) The _matchOptions configuration that enabled matchBase mode. The commit diff shows these were the specific elements modified in the patch - changing matchBase to false, adding dot: true, and modifying pattern handling. These changes directly address the documented issue where directory patterns in fs.deny were ineffective due to basename-only matching.