CVE-2023-34092
security vulnerability vulnerability in vite (npm)
What is CVE-2023-34092 About?
This vulnerability in Vite allows bypassing server options using a double forward slash, leading to unauthorized access to sensitive files and directories. Its impact can expose files in the immediate project root. Exploitation is relatively easy, requiring only a crafted URL.
Affected Software
- vite
- >4.1.0, <4.1.5
- >4.2.0, <4.2.3
- >4.0.0, <4.0.5
- >3.0.2, <3.2.7
- >4.3.0, <4.3.9
- <2.9.16
Technical Details
The vulnerability arises because Vite, when serving applications in development mode, uses the fs.deny server option to protect sensitive files. However, an attacker can bypass this restriction by directly accessing files via a URL containing a double forward slash (e.g., //.env, //.env.local). This bypasses the intended fs.deny mechanism, allowing access to files that should otherwise be protected, such as environment configuration files located in the project's root directory.
What is the Impact of CVE-2023-34092?
Successful exploitation may allow attackers to gain unauthorized access to sensitive files and directories within the Vite project's root folder, potentially leading to information disclosure or further compromise.
What is the Exploitability of CVE-2023-34092?
Exploitation of this vulnerability is straightforward and requires no complex techniques. An attacker needs remote access to the exposed Vite dev server, which occurs if the server is explicitly exposed to the network. No authentication or elevated privileges are required. The attacker simply needs to craft a URL with a double forward slash to bypass the fs.deny safeguard. The primary risk factor increasing exploitation likelihood is exposing the Vite dev server to the network without adequate protection.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34092?
Available Upgrade Options
- vite
- <2.9.16 → Upgrade to 2.9.16
- vite
- >3.0.2, <3.2.7 → Upgrade to 3.2.7
- vite
- >4.0.0, <4.0.5 → Upgrade to 4.0.5
- vite
- >4.1.0, <4.1.5 → Upgrade to 4.1.5
- vite
- >4.2.0, <4.2.3 → Upgrade to 4.2.3
- vite
- >4.3.0, <4.3.9 → Upgrade to 4.3.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67
- https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32
- https://osv.dev/vulnerability/GHSA-353f-5xf4-qw67
- https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67
- https://security.snyk.io/package/npm/vite/3.2.0-beta.4
- https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32
- https://nvd.nist.gov/vuln/detail/CVE-2023-34092
- https://github.com/vitejs/vite
- https://github.com/vitejs/vite/pull/13348
- https://github.com/vitejs/vite/pull/13348
What are Similar Vulnerabilities to CVE-2023-34092?
Similar Vulnerabilities: CVE-2021-39145 , CVE-2023-28154 , CVE-2022-24756 , CVE-2020-8209 , CVE-2021-21315
