PT-2024-31792 · Vite · Vite
Adi1
·
Published
2024-09-17
·
Updated
2025-01-17
·
CVE-2024-45811
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions:
Vite versions prior to 3.2.11
Vite versions prior to 4.5.5
Vite versions prior to 5.2.14
Vite versions prior to 5.3.6
Vite versions prior to 5.4.6
Description:
The contents of arbitrary files can be returned to the browser.
@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.Recommendations:
For versions prior to 3.2.11, upgrade to version 3.2.11 or later.
For versions prior to 4.5.5, upgrade to version 4.5.5 or later.
For versions prior to 5.2.14, upgrade to version 5.2.14 or later.
For versions prior to 5.3.6, upgrade to version 5.3.6 or later.
For versions prior to 5.4.6, upgrade to version 5.4.6 or later.
As a temporary workaround, consider restricting access to the
@fs module until a patch is available.
Avoid using the ?import&raw parameter in the affected URL until the issue is resolved.Exploit
Fix
Information Disclosure
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Vite