Vite's `server.fs.deny` did not deny requests for patterns with directories.
- Severity:
- Medium
Description
Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.2.0, <= 5.2.5 >= 5.1.0, <= 5.1.6 >= 5.0.0, <= 5.0.12 >= 4.0.0, <= 4.5.2 >= 3.0.0, <= 3.2.8 >= 2.7.0, <= 2.9.17** Patched version(s): **5.2.6 5.1.7 5.0.13 4.5.3 3.2.10 2.9.18**
References
Related Issues
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- Vite's `server.fs.deny` is bypassed when using `?import&raw` - CVE-2024-45811
- Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) - CVE-2023-34092
- Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
You might also like:
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on April 04, 2024


