-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the isFileLoadingAllowed function located in packages/vite/src/node/server/middlewares/static.ts. This function is intended to prevent access to sensitive files as defined in the server.fs.deny configuration of Vite. The flaw is that the function did not properly sanitize the input file path before checking it against the deny list. Specifically, it did not account for trailing slashes in the path. On Windows systems, an attacker could request a denied file by appending a backslash to the URL (e.g., /.env\\). The Vite development server would process this path with a trailing slash. While the config.fsDenyGlob check would fail to recognize /.env/ as a denied path, the underlying Node.js fs.readFile call would treat /.env/ as /.env and serve the file's contents. The provided patch rectifies this by adding logic to isFileLoadingAllowed to remove any trailing slashes from the file path before it is passed to config.fsDenyGlob, ensuring that paths like /.env/ are correctly identified as denied. Therefore, any runtime profile of a vulnerable application would show the isFileLoadingAllowed function being called during an exploit attempt.
isFileLoadingAllowedpackages/vite/src/node/server/middlewares/static.ts
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| vite | npm | >= 7.1.0, <= 7.1.10 | 7.1.11 |
| vite | npm | >= 7.0.0, <= 7.0.7 | 7.0.8 |
| vite | npm | >= 6.0.0, <= 6.4.0 | 6.4.1 |
| vite | npm | >= 2.9.18, < 3.0.0 | 5.4.21 |
| vite | npm | >= 3.2.9, < 4.0.0 | 5.4.21 |
| vite | npm | >= 4.5.3, < 5.0.0 | 5.4.21 |
| vite | npm | >= 5.2.6, <= 5.4.20 | 5.4.21 |
JavaScriptJavaScriptOngoing coverage of React2Shell