CVE-2024-31207

Name of the Vulnerable Software and Affected Versions Vite versions prior to 2.9.18 Vite versions prior to 3.2.10 Vite versions prior to 4.5.3 Vite versions prior to 5.0.13 Vite versions prior to 5.1.7 Vite versions prior to 5.2.6

Description The issue is related to insufficient access control in the Vite development server, which can be exploited by a remote attacker to execute arbitrary code. This vulnerability affects applications that set a custom server.fs.deny option including patterns with directories and explicitly expose the Vite development server to the network. The server.fs.deny option uses picomatch with the config of { matchBase: true }, which only matches the basename of the file, not the path, due to a bug. Additionally, Vite does not set { dot: true }, causing dotfiles not to be denied unless they are explicitly defined.

Recommendations For versions prior to 2.9.18, update to version 2.9.18 or later. For versions prior to 3.2.10, update to version 3.2.10 or later. For versions prior to 4.5.3, update to version 4.5.3 or later. For versions prior to 5.0.13, update to version 5.0.13 or later. For versions prior to 5.1.7, update to version 5.1.7 or later. For versions prior to 5.2.6, update to version 5.2.6 or later. As a temporary workaround, consider restricting access to the Vite development server by not using the --host option or setting server.host to localhost to minimize the risk of exploitation. Avoid using patterns with directories in the server.fs.deny option until the issue is resolved.