Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
- Severity:
- High
Description
The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.3.0, < 4.3.9 >= 4.2.0, < 4.2.3 >= 4.1.0, < 4.1.5 >= 4.0.0, < 4.0.5 >= 3.0.2, < 3.2.7 < 2.9.16** Patched version(s): **4.3.9 4.2.3 4.1.5 4.0.5 3.2.7 2.9.16**
References
- GHSA-353f-5xf4-qw67
- security.snyk.io
- CVE-2023-34092
- CWE-200
- CWE-50
- CWE-706
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - CVE-2024-23331
- Vite's `server.fs.deny` is bypassed when using `?import&raw` - CVE-2024-45811
- Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query - CVE-2025-31125
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on August 09, 2024