CVE-2022-35204
Directory Traversal vulnerability in vite (npm)
What is CVE-2022-35204 About?
This vulnerability is a Directory Traversal flaw in Vite before v2.9.13, allowing attackers to access arbitrary files outside the intended directory. This is achieved by crafting a specific URL, posing a high risk of sensitive information disclosure with moderate exploitation ease.
Affected Software
- vite
- <2.9.13
- >3.0.0-alpha.0, <3.0.0-beta.4
Technical Details
Vite versions prior to 2.9.13 are susceptible to a Directory Traversal vulnerability. This flaw allows an attacker to bypass directory restrictions by including specially crafted sequences (e.g., ../) within a URL requested from a Vite-served application. When Vite processes such a malicious URL, it misinterprets the path, allowing access to files and directories located outside the webroot or intended application directories. This can lead to the exposure of sensitive configuration files, source code, or other critical system files that are not meant to be publicly accessible, compromising the confidentiality and potentially the integrity of the system.
What is the Impact of CVE-2022-35204?
Successful exploitation may allow attackers to access arbitrary files and directories on the server, leading to sensitive information disclosure or further system compromise.
What is the Exploitability of CVE-2022-35204?
Exploitation complexity is moderate. It primarily involves crafting a malicious URL that includes directory traversal sequences. Prerequisites include a running Vite application (before v2.9.13) that serves static assets or handles file requests in a vulnerable manner. No authentication or special privileges are typically required, as these attacks often target publicly accessible endpoints. This is a remote vulnerability, as the attack is initiated via a malformed URL request. There are no specific special conditions other than the vulnerable Vite version being in use. Risk factors increase if the Vite application serves sensitive data or is configured to run with elevated permissions, or if it is directly exposed to the internet without a protective proxy.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-35204?
Available Upgrade Options
- vite
- <2.9.13 → Upgrade to 2.9.13
- vite
- >3.0.0-alpha.0, <3.0.0-beta.4 → Upgrade to 3.0.0-beta.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vitejs/vite/releases/tag/v2.9.13
- https://nvd.nist.gov/vuln/detail/CVE-2022-35204
- https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4
- https://github.com/vitejs/vite
- https://github.com/vitejs/vite/commit/6851009e6725b17608113a5a63474280075cae1c
- https://github.com/vitejs/vite/commit/e109d64331d9fa57753832762c3573c3532a6947
- https://osv.dev/vulnerability/GHSA-mv48-hcvh-8jj8
- https://github.com/vitejs/vite/issues/8498
- https://github.com/vitejs/vite/releases/tag/v2.9.13
- https://github.com/vitejs/vite/releases/tag/v3.0.0-beta.4
What are Similar Vulnerabilities to CVE-2022-35204?
Similar Vulnerabilities: CVE-2021-27867 , CVE-2020-26880 , CVE-2021-21315 , CVE-2021-32622 , CVE-2018-8012
