{ "canonical_id": "vite--CVE-2024-31207", "system_id": "vite", "display_name": "Vite", "category": "frameworks", "advisory_mode": "core", "title": "Vite's `server.fs.deny` did not deny requests for patterns with directories.", "summary": "### Summary\n[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`.\n\n### Impact\nOnly apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Patches\nFixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18\n\n### Details\n`server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=Description-,basename,-boolean) only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set `{ dot: true }` and that causes [dotfiles not to be denied](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=error%20is%20thrown.-,dot,-boolean) unless they are explicitly defined.\n\n**Reproduction**\n\nSet fs.deny to `['**/.git/**']` and then curl for `/.git/config`.\n\n* with `matchBase: true`, you can get any file under `.git/` (config, HEAD, etc).\n* with `matchBase: false`, you cannot get any file under `.git/` (config, HEAD, etc).\n", "published_at": "2024-04-03T16:46:17Z", "updated_at": "2024-04-05T01:28:39.527659Z", "severity": "low", "cvss_score": 3.1, "exploit_status": "unknown", "source_confidence": "official", "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g", "secondary_source_urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2024-31207", "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0", "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48", "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67", "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9", "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258", "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649", "https://github.com/vitejs/vite" ], "aliases": [ "CVE-2024-31207", "GHSA-8jhw-289h-jh2g" ], "cve_ids": [ "CVE-2024-31207" ], "ghsa_ids": [ "GHSA-8jhw-289h-jh2g" ], "osv_ids": [ "GHSA-8jhw-289h-jh2g" ], "affected_versions": [ "introduced=2.7.0, fixed<2.9.18", "introduced=3.0.0, fixed<3.2.10", "introduced=4.0.0, fixed<4.5.3", "introduced=5.0.0, fixed<5.0.13", "introduced=5.1.0, fixed<5.1.7", "introduced=5.2.0, fixed<5.2.6" ], "fixed_versions": [ "2.9.18", "3.2.10", "4.5.3", "5.0.13", "5.1.7", "5.2.6" ], "package_name": "vite", "render_markdown": true, "case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2024-31207.md", "secure_code_topics": [ "dependency-upgrade-policy", "file-upload-validation", "proxy-trust-boundary" ], "status": "generated", "triage_reasons": [], "verification_status": "triage-manual", "verification_mode": "synthetic", "last_verified_at": null, "last_run_id": null, "evidence_bundle": null, "historical_status": null, "latest_status": null, "browser_evidence": { "required": false, "present": false, "refs": [] }, "repro_profile_id": "vite-proxy-boundary", "artifact_mode": "official-source", "blocked_reason": null, "metadata": { "source_names": [ "OSV Vite" ], "source_kinds": [ "osv-batch" ], "candidate_count": 1 } }