CVE-2023-34092

Name of the Vulnerable Software and Affected Versions Vite versions prior to 2.9.16 Vite versions prior to 3.2.7 Vite versions prior to 4.0.5 Vite versions prior to 4.1.5 Vite versions prior to 4.2.3 Vite versions prior to 4.3.9

Description The issue involves a security risk in Vite where the server options can be bypassed using a double forward-slash (//). This allows any unauthenticated user to read files from the Vite root-path of the application, including the default fs.deny settings (['.env','.env.*','*.{crt,pem}']). Only users explicitly exposing the Vite dev server to the network are affected, and only files in the immediate Vite project root folder could be exposed.

Recommendations Update to Vite version 2.9.16 or later to fix the issue. Update to Vite version 3.2.7 or later to fix the issue. Update to Vite version 4.0.5 or later to fix the issue. Update to Vite version 4.1.5 or later to fix the issue. Update to Vite version 4.2.3 or later to fix the issue. Update to Vite version 4.3.9 or later to fix the issue. As a temporary workaround, consider reviewing and updating the server configuration options in your vite.config.js file to restrict access to unauthorized requests or directories. Restrict access to the Vite dev server by not exposing it to the network using --host or server.host config option.