GHSA-353f-5xf4-qw67

Details

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (`//`). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

### Steps to Fix. **Update Vite**: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. **Secure the server configuration**: In your `vite.config.js` file, review and update the server configuration options to restrict access to unauthorized requests or directories.

### Impact Only users explicitly exposing the Vite dev server to the network (using `--host` or the [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@**4.3.9**, vite@**4.2.3**, vite@**4.1.5**, vite@**4.0.5** and in the latest minors of the previous two majors, vite@**3.2.7** and vite@**2.9.16**.

### Details Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using `pnpm run dev`.\n3. Directly access the file via url using double forward-slash (`//`) (e.g: `//.env`, `//.env.local`)\n4. The server option `fs.deny` was successfully bypassed.

Proof Images: ![proof-1](https://user-images.githubusercontent.com/30733517/241105344-6ecbc7f6-57b7-45c7-856a-6421a577dda1.png)\n![proof-2](https://user-images.githubusercontent.com/30733517/241105349-ab9561e7-8aff-4f29-97f9-b784e673c122.png)