CVE-2023-34092
published 2023-06-01CVE-2023-34092: Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using…
PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.15%
86.3th percentile
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected].
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 2.9.16 | 2.9.16 |
| vitejs | vite | >= 2.7.0 < 2.9.17 | 2.9.17 |
| vitejs | vite | >= 2.7.0 < 2.9.17 | 2.9.17 |
| vitejs | vite | >= 3.0.0 < 3.2.8 | 3.2.8 |
| vitejs | vite | >= 3.0.0 < 3.2.8 | 3.2.8 |
| vitejs | vite | >= 3.0.2 < 3.2.7 | 3.2.7 |
| vitejs | vite | >= 3.0.2 < 3.2.7 | 3.2.7 |
| vitejs | vite | >= 4.0.0 < 4.5.2 | 4.5.2 |
| vitejs | vite | >= 4.0.0 < 4.0.5 | 4.0.5 |
| vitejs | vite | >= 4.0.0 < 4.5.2 | 4.5.2 |
| vitejs | vite | >= 4.0.0 < 4.0.5 | 4.0.5 |
| vitejs | vite | >= 4.1.0 < 4.1.5 | 4.1.5 |
| vitejs | vite | >= 4.1.0 < 4.1.5 | 4.1.5 |
| vitejs | vite | >= 4.2.0 < 4.2.3 | 4.2.3 |
| vitejs | vite | >= 4.2.0 < 4.2.3 | 4.2.3 |
| vitejs | vite | >= 4.3.0 < 4.3.9 | 4.3.9 |
| vitejs | vite | >= 4.3.0 < 4.3.9 | 4.3.9 |
| vitejs | vite | >= 5.0.0 < 5.0.12 | 5.0.12 |
| vitejs | vite | >= 5.0.0 < 5.0.12 | 5.0.12 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}//.env
path//.env
other/@vite/client
- →Probe for CVE-2023-34092 by first requesting /.env and confirming a 403, then requesting //.env (double forward-slash) and checking for HTTP 200 with 'VITE_APP_SECRET' in the response body.
- →The bypass uses double forward-slash paths (//) to circumvent the server.fs.deny blacklist on exposed Vite dev servers.
- →Identify exposed Vite dev servers via FOFA or Shodan using the /@vite/client fingerprint in the HTTP response body.
- →A similar bypass (CVE-2024-23331) uses case-augmented filenames on case-insensitive filesystems (e.g., Windows); the same server.fs.deny blacklist is evaded. ↗
- ·Only exposed Vite dev servers are affected; production builds are not vulnerable.
- ·The detection flow requires a two-step confirmation: /.env must return 403 first, then //.env must return 200 with the secret keyword — both conditions must be met to avoid false positives.
- ·The related CVE-2024-23331 variant only affects hosts with case-insensitive filesystems (notably Windows), whereas CVE-2023-34092 uses the double-slash path bypass regardless of OS. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
osv·2024-01-19·CVSS 7.5
CVE-2024-23331 [HIGH] Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
### Summary
[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
### Patches
Fixed in [email protected], [email protected], [email protected], [email protected]
### Details
Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.
See `picomatch` usage, where `nocase` is defaulted to `false`: https://git
GHSA
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
ghsa·2024-01-19·CVSS 7.5
CVE-2024-23331 [HIGH] CWE-178 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
### Summary
[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
### Patches
Fixed in [email protected], [email protected], [email protected], [email protected]
### Details
Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.
See `picomatch` usage, where `nocase` is defaulted to `false`: https://git
OSV
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
osv·2023-06-06
CVE-2023-34092 [HIGH] Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (`//`). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.
### Steps to Fix. **Update Vite**: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. **Secure the server configuration**: In your `vite.config.js` file, review and update the server configuration options to restrict access to unauthorized requests or directories.
### Impact
Only users explicitly exposing the Vite dev server to the network (using `--host` or the [`server.host` config opti
GHSA
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
ghsa·2023-06-06
CVE-2023-34092 [HIGH] CWE-200 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (`//`). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.
### Steps to Fix. **Update Vite**: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. **Secure the server configuration**: In your `vite.config.js` file, review and update the server configuration options to restrict access to unauthorized requests or directories.
### Impact
Only users explicitly exposing the Vite dev server to the network (using `--host` or the [`server.host` config opti
No detection rules found.
Nuclei
Vite Dev Server - Information Exposure
nuclei·CVSS 7.5
CVE-2023-34092 [HIGH] Vite Dev Server - Information Exposure
Vite Dev Server - Information Exposure
Vite dev server could allow reading files from the Vite project root by bypassing server.fs.deny with double forward-slash paths (//). This affects exposed dev servers only.
Template:
id: CVE-2023-34092
info:
name: Vite Dev Server - Information Exposure
author: ritikchaddha
severity: high
description: |
Vite dev server could allow reading files from the Vite project root by bypassing server.fs.deny with double forward-slash paths (//). This affects exposed dev servers only.
impact: |
Unauthenticated users can read sensitive files in the project root, potentially leading to information disclosure.
remediation: |
Update to Vite version 4.3.9, 4.2.3, 4.1.5, 4.0.5, 3.2.7, or 2.9.16 or later.
reference:
- https://github.com/vitejs/vite/security/advisor
No writeups or analysis indexed.
https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32https://github.com/vitejs/vite/pull/13348https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32https://github.com/vitejs/vite/pull/13348https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67
2023-06-01
Published