Jtmcdole

**Name of the Vulnerable Software and Affected Versions** Vite versions prior to 2.9.18 Vite versions prior to 3.2.10 Vite versions prior to 4.5.3 Vite versions prior to 5.0.13 Vite versions prior to 5.1.7 Vite versions prior to 5.2.6 **Description** The issue is related to insufficient access control in the Vite development server, which can be exploited by a remote attacker to execute arbitrary code. This vulnerability affects applications that set a custom `server.fs.deny` option including patterns with directories and explicitly expose the Vite development server to the network. The `server.fs.deny` option uses picomatch with the config of `{ matchBase: true }`, which only matches the basename of the file, not the path, due to a bug. Additionally, Vite does not set `{ dot: true }`, causing dotfiles not to be denied unless they are explicitly defined. **Recommendations** For versions prior to 2.9.18, update to version 2.9.18 or later. For versions prior to 3.2.10, update to version 3.2.10 or later. For versions prior to 4.5.3, update to version 4.5.3 or later. For versions prior to 5.0.13, update to version 5.0.13 or later. For versions prior to 5.1.7, update to version 5.1.7 or later. For versions prior to 5.2.6, update to version 5.2.6 or later. As a temporary workaround, consider restricting access to the Vite development server by not using the `--host` option or setting `server.host` to `localhost` to minimize the risk of exploitation. Avoid using patterns with directories in the `server.fs.deny` option until the issue is resolved.