VDB
KO
MEDIUM

GHSA-93m4-6634-74q7

vite allows server.fs.deny bypass via backslash on Windows

Details

### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows.

### Impact Only apps that match the following conditions are affected:

- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows

### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`.

### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` <img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175" />

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vite
Introduced in: 7.1.0 Fixed in: 7.1.11
Fix npm install vite@7.1.11
npm / vite
Introduced in: 7.0.0 Fixed in: 7.0.8
Fix npm install vite@7.0.8
npm / vite
Introduced in: 6.0.0 Fixed in: 6.4.1
Fix npm install vite@6.4.1
npm / vite
Introduced in: 2.9.18 Fixed in: 5.4.21
Fix npm install vite@5.4.21
npm / vite
Introduced in: 3.2.9 Fixed in: 5.4.21
Fix npm install vite@5.4.21
npm / vite
Introduced in: 4.5.3 Fixed in: 5.4.21
Fix npm install vite@5.4.21
npm / vite
Introduced in: 5.2.6 Fixed in: 5.4.21
Fix npm install vite@5.4.21

References