Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Description

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 – with surface area reduced to hosts having case-insensitive filesystems.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.0.0, <= 5.0.11

  >= 4.0.0, <= 4.5.1

  >= 3.0.0, <= 3.2.7

  >= 2.7.0, <= 2.9.16**

• Patched version(s): **5.0.12

  4.5.2

  3.2.8

  2.9.17**

References

• GHSA-c24v-8rfc-w8vw
• vitejs.dev
• CVE-2024-23331
• CWE-178
• CWE-200
• CWE-284
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
• Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - CVE-2024-35255
• Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
• Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486

Tags:

npm

vite