Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-34092Path Equivalence: '//multiple/leading/slash' in Vite

CWE-50Path Equivalence: '//multiple/leading/slash'CWE-200Sensitive Information ExposureCWE-706Use of Incorrectly-Resolved Name or ReferenceCWE-178Improper Handling of Case SensitivityCWE-284Improper Access Control7 documents4 sources
Severity
7.5HIGHNVD
EPSS
55.1%
top 1.94%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Vitejs Vite
Timeline
PublishedJun 1
Latest updateJan 19

Description

Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDvitejs/vite2.7.02.9.17+9
npmvitejs/vite2.7.02.9.17+9
CVEListV5vitejs/vite4 versions+3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem2024-01-19
GHSA
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem2024-01-19
OSV
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)2023-06-06
GHSA
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)2023-06-06

💥Exploits & PoCs

1
Nuclei
Vite Dev Server - Information Exposure