CVE-2024-23331
Information Disclosure vulnerability in vite (npm)
What is CVE-2024-23331 About?
This vulnerability allows bypassing Vite's `server.fs.deny` security control on case-insensitive file systems. Its impact is the unauthorized access to sensitive files that were intended to be denied. Exploitation is relatively easy, requiring knowledge of file paths and case-augmented filenames on affected operating systems.
Affected Software
- vite
- >3.0.0, <3.2.8
- >4.0.0, <4.5.2
- >5.0.0, <5.0.12
- >2.7.0, <2.9.17
Technical Details
The vulnerability is a bypass for Vite's server.fs.deny configuration option, which is designed to prevent access to sensitive files or directories. This bypass specifically affects environments with case-insensitive file systems, such as Windows. The picomatch library used by Vite for glob matching defaults to case-sensitive behavior (nocase: false), while the underlying file system does not discriminate between case variations. An attacker can request a file that should be denied (e.g., custom.secret) using a case-augmented version of its filename (e.g., custom.sEcReT). The picomatch glob matcher, being case-sensitive, fails to match the custom.sEcReT against the custom.secret deny rule, thus allowing the server to serve the file due to the case-insensitivity of the operating system. This allows for arbitrary file access if the path is known.
What is the Impact of CVE-2024-23331?
Successful exploitation may allow attackers to read sensitive files, configuration data, and credentials that were intended to be protected, leading to information disclosure, unauthorized access, or further compromise of the system.
What is the Exploitability of CVE-2024-23331?
Exploitation of this vulnerability is of low to moderate complexity. It requires an attacker to have remote access to a Vite dev server that is exposed and running on a case-insensitive file system (e.g., Windows). No authentication or specific privileges are required to exploit this, as the attack targets the file server's access control. The primary prerequisites are the knowledge of file paths and the ability to formulate case-augmented requests. The attack is remote, performed by making HTTP requests to the exposed Vite dev server. The special condition is the presence of a case-insensitive file system, which serves as the fundamental flaw enabling the bypass. Risk factors that increase exploitation likelihood include publicly exposed Vite dev servers, particularly on Windows, and developers relying solely on server.fs.deny for protecting sensitive files without considering case-sensitivity nuances.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-23331?
Available Upgrade Options
- vite
- >2.7.0, <2.9.17 → Upgrade to 2.9.17
- vite
- >3.0.0, <3.2.8 → Upgrade to 3.2.8
- vite
- >4.0.0, <4.5.2 → Upgrade to 4.5.2
- vite
- >5.0.0, <5.0.12 → Upgrade to 5.0.12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691
- https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb
- https://nvd.nist.gov/vuln/detail/CVE-2024-23331
- https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278
- https://github.com/vitejs/vite
- https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
- https://nvd.nist.gov/vuln/detail/CVE-2023-34092
- https://vitejs.dev/config/server-options.html#server-fs-deny
- https://vitejs.dev/config/server-options.html#server-fs-deny
- https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
What are Similar Vulnerabilities to CVE-2024-23331?
Similar Vulnerabilities: CVE-2023-34092 , CVE-2021-44790 , CVE-2020-15175 , CVE-2019-1002005 , CVE-2018-1000136
