-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScript| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @cloudflare/vite-plugin | npm | < 1.6.0 | 1.6.0 |
Miggo AIRoot Cause AnalysisThe vulnerability is an information disclosure issue within the @cloudflare/vite-plugin. The root cause is the lack of file access restrictions in the default configuration of the Vite development server set up by the plugin. The cloudflare function in packages/vite-plugin-cloudflare/src/index.ts is the main entry point for the plugin and is responsible for generating this configuration. The analysis of the fixing commit 0e500720bf70016fa4ea21fc8959c4bd764ebc38 shows that the vulnerability was patched by adding a server.fs.deny array to the configuration object returned by the cloudflare function. This new configuration explicitly prevents the Vite dev server from serving sensitive files such as .env and .dev.vars. Since the cloudflare function was responsible for creating the insecure configuration, it is identified as the vulnerable function. Any runtime profiler would show this function being called as part of the Vite server setup process.
The default configuration has no reason to expose information outside of the configured assets directory.
Example:
curl http://somehost/.env may expose secrets
curl http://somehost/.dev.vars may expose secrets
curl http://somehost/package.json may expose dependencies used by the project, potentially leading to other vulnerabilities
curl http://somehost/README.md may expose internal documentation
etc.
Information disclosure to anyone on the same network, or if the dev server is exposed such as via cloudflared as explored here: https://github.com/cloudflare/workers-sdk/discussions/3455#discussioncomment-6165773
Ongoing coverage of React2Shell