Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
- Severity:
- High
Description
The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.3.0, < 4.3.9 >= 4.2.0, < 4.2.3 >= 4.1.0, < 4.1.5 >= 4.0.0, < 4.0.5 >= 3.0.2, < 3.2.7 < 2.9.16** Patched version(s): **4.3.9 4.2.3 4.1.5 4.0.5 3.2.7 2.9.16**
References
- GHSA-353f-5xf4-qw67
- security.snyk.io
- CVE-2023-34092
- CWE-200
- CWE-50
- CWE-706
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
- Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering - CVE-2025-54075
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on August 09, 2024