CVE-2024-23331

Name of the Vulnerable Software and Affected Versions Vite versions prior to 2.9.17 Vite versions prior to 3.2.8 Vite versions prior to 4.5.2 Vite versions prior to 5.0.12

Description The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames, notably affecting servers hosted on Windows. This bypass is possible because picomatch defaults to case-sensitive glob matching, but the file server does not discriminate. By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

Recommendations For versions prior to 2.9.17, upgrade to version 2.9.17 or later. For versions prior to 3.2.8, upgrade to version 3.2.8 or later. For versions prior to 4.5.2, upgrade to version 4.5.2 or later. For versions prior to 5.0.12, upgrade to version 5.0.12 or later. As a temporary workaround, consider restricting access to dev servers until a patch is available.