When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.
Impact
Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.
Patches
Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12
Details
Suppose index.html contains an inline module script:
<script type="module">
// Inline script
</script>
This script is transformed into a proxy script like
so the url passed to server.transformIndexHtml is /index.html.
However, if appType: 'custom', HTML is served manually, and if server.transformIndexHtml is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformed html-proxy script varies with the request URL. For example, a request with path / produces
However, since this vulnerability affects server.transformIndexHtml, the scope of impact may be higher to also include other ad-hoc calls to server.transformIndexHtml from outside of Vite's own codebase.
My best guess at bisecting which versions are vulnerable involves the following test script
import fs from 'node:fs/promises';
import * as vite from 'vite';
const html = `
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
</head>
<body>
<script type="module">
// Inline script
</script>
</body>
</html>
`;
const server = await vite.createServer({ appType: 'custom' });
const transformed = await server.transformIndexHtml('/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E', html);
console.log(transformed);
await server.close();
and using it I was able to narrow down to #13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0).
Vite dev server optionserver.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
Vite dev server optionserver.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.
Impact
Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.
Reproduction
Set fs.deny to ['**/.git/**'] and then curl for /.git/config.
with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).
Release Notes
vitejs/vite (vite)
### [`v4.5.3`](https://togithub.com/vitejs/vite/compare/v4.5.2...aac695e9f8f29da43c2f7c50c549fa3d3dfeeadc)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.5.2...v4.5.3)
### [`v4.5.2`](https://togithub.com/vitejs/vite/releases/tag/v4.5.2)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.5.1...v4.5.2)
Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.5.2/packages/vite/CHANGELOG.md) for details.
### [`v4.5.1`](https://togithub.com/vitejs/vite/releases/tag/v4.5.1)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.5.0...v4.5.1)
Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.5.1/packages/vite/CHANGELOG.md) for details.
### [`v4.5.0`](https://togithub.com/vitejs/vite/releases/tag/v4.5.0)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.12...v4.5.0)
Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.5.0/packages/vite/CHANGELOG.md) for details.
### [`v4.4.12`](https://togithub.com/vitejs/vite/releases/tag/v4.4.12)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.11...v4.4.12)
Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.4.12/packages/vite/CHANGELOG.md) for details.
### [`v4.4.11`](https://togithub.com/vitejs/vite/releases/tag/v4.4.11)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.10...v4.4.11)
Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.4.11/packages/vite/CHANGELOG.md) for details.
### [`v4.4.10`](https://togithub.com/vitejs/vite/releases/tag/v4.4.10)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.9...v4.4.10)
Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.4.10/packages/vite/CHANGELOG.md) for details.
### [`v4.4.9`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small449-2023-08-07-small)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.8...v4.4.9)
- chore: fix eslint warnings ([#14031](https://togithub.com/vitejs/vite/issues/14031)) ([4021a0e](https://togithub.com/vitejs/vite/commit/4021a0e)), closes [#14031](https://togithub.com/vitejs/vite/issues/14031)
- chore(deps): update all non-major dependencies ([#13938](https://togithub.com/vitejs/vite/issues/13938)) ([a1b519e](https://togithub.com/vitejs/vite/commit/a1b519e)), closes [#13938](https://togithub.com/vitejs/vite/issues/13938)
- fix: dynamic import vars ignored warning ([#14006](https://togithub.com/vitejs/vite/issues/14006)) ([4479431](https://togithub.com/vitejs/vite/commit/4479431)), closes [#14006](https://togithub.com/vitejs/vite/issues/14006)
- fix(build): silence warn dynamic import module when inlineDynamicImports true ([#13970](https://togithub.com/vitejs/vite/issues/13970)) ([7a77aaf](https://togithub.com/vitejs/vite/commit/7a77aaf)), closes [#13970](https://togithub.com/vitejs/vite/issues/13970)
- perf: improve build times and memory utilization ([#14016](https://togithub.com/vitejs/vite/issues/14016)) ([9d7d45e](https://togithub.com/vitejs/vite/commit/9d7d45e)), closes [#14016](https://togithub.com/vitejs/vite/issues/14016)
- perf: replace startsWith with === ([#14005](https://togithub.com/vitejs/vite/issues/14005)) ([f5c1224](https://togithub.com/vitejs/vite/commit/f5c1224)), closes [#14005](https://togithub.com/vitejs/vite/issues/14005)
### [`v4.4.8`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small448-2023-07-31-small)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.7...v4.4.8)
- fix: modulePreload false ([#13973](https://togithub.com/vitejs/vite/issues/13973)) ([488085d](https://togithub.com/vitejs/vite/commit/488085d)), closes [#13973](https://togithub.com/vitejs/vite/issues/13973)
- fix: multiple entries with shared css and no JS ([#13962](https://togithub.com/vitejs/vite/issues/13962)) ([89a3db0](https://togithub.com/vitejs/vite/commit/89a3db0)), closes [#13962](https://togithub.com/vitejs/vite/issues/13962)
- fix: use file extensions on type imports so they work with `moduleResolution: 'node16'` ([#13947](https://togithub.com/vitejs/vite/issues/13947)) ([aeef670](https://togithub.com/vitejs/vite/commit/aeef670)), closes [#13947](https://togithub.com/vitejs/vite/issues/13947)
- fix(css): enhance error message for missing preprocessor dependency ([#11485](https://togithub.com/vitejs/vite/issues/11485)) ([65e5c22](https://togithub.com/vitejs/vite/commit/65e5c22)), closes [#11485](https://togithub.com/vitejs/vite/issues/11485)
- fix(esbuild): fix static properties transpile when useDefineForClassFields false ([#13992](https://togithub.com/vitejs/vite/issues/13992)) ([4ca7c13](https://togithub.com/vitejs/vite/commit/4ca7c13)), closes [#13992](https://togithub.com/vitejs/vite/issues/13992)
- fix(importAnalysis): strip url base before passing as safeModulePaths ([#13712](https://togithub.com/vitejs/vite/issues/13712)) ([1ab06a8](https://togithub.com/vitejs/vite/commit/1ab06a8)), closes [#13712](https://togithub.com/vitejs/vite/issues/13712)
- fix(importMetaGlob): avoid unnecessary hmr of negative glob ([#13646](https://togithub.com/vitejs/vite/issues/13646)) ([844451c](https://togithub.com/vitejs/vite/commit/844451c)), closes [#13646](https://togithub.com/vitejs/vite/issues/13646)
- fix(optimizer): avoid double-commit of optimized deps when discovery is disabled ([#13865](https://togithub.com/vitejs/vite/issues/13865)) ([df77991](https://togithub.com/vitejs/vite/commit/df77991)), closes [#13865](https://togithub.com/vitejs/vite/issues/13865)
- fix(optimizer): enable experimentalDecorators by default ([#13981](https://togithub.com/vitejs/vite/issues/13981)) ([f8a5ffc](https://togithub.com/vitejs/vite/commit/f8a5ffc)), closes [#13981](https://togithub.com/vitejs/vite/issues/13981)
- perf: replace startsWith with === ([#13989](https://togithub.com/vitejs/vite/issues/13989)) ([3aab14e](https://togithub.com/vitejs/vite/commit/3aab14e)), closes [#13989](https://togithub.com/vitejs/vite/issues/13989)
- perf: single slash does not need to be replaced ([#13980](https://togithub.com/vitejs/vite/issues/13980)) ([66f522c](https://togithub.com/vitejs/vite/commit/66f522c)), closes [#13980](https://togithub.com/vitejs/vite/issues/13980)
- perf: use Intl.DateTimeFormatter instead of toLocaleTimeString ([#13951](https://togithub.com/vitejs/vite/issues/13951)) ([af53a1d](https://togithub.com/vitejs/vite/commit/af53a1d)), closes [#13951](https://togithub.com/vitejs/vite/issues/13951)
- perf: use Intl.NumberFormat instead of toLocaleString ([#13949](https://togithub.com/vitejs/vite/issues/13949)) ([a48bf88](https://togithub.com/vitejs/vite/commit/a48bf88)), closes [#13949](https://togithub.com/vitejs/vite/issues/13949)
- perf: use magic-string hires boundary for sourcemaps ([#13971](https://togithub.com/vitejs/vite/issues/13971)) ([b9a8d65](https://togithub.com/vitejs/vite/commit/b9a8d65)), closes [#13971](https://togithub.com/vitejs/vite/issues/13971)
- chore(reporter): remove unnecessary map ([#13972](https://togithub.com/vitejs/vite/issues/13972)) ([dd9d4c1](https://togithub.com/vitejs/vite/commit/dd9d4c1)), closes [#13972](https://togithub.com/vitejs/vite/issues/13972)
- refactor: add new overload to the type of defineConfig ([#13958](https://togithub.com/vitejs/vite/issues/13958)) ([24c12fe](https://togithub.com/vitejs/vite/commit/24c12fe)), closes [#13958](https://togithub.com/vitejs/vite/issues/13958)
### [`v4.4.7`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small447-2023-07-24-small)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.6...v4.4.7)
- fix: `optimizeDeps.include` not working with paths inside packages ([#13922](https://togithub.com/vitejs/vite/issues/13922)) ([06e4f57](https://togithub.com/vitejs/vite/commit/06e4f57)), closes [#13922](https://togithub.com/vitejs/vite/issues/13922)
- fix: lightningcss fails with html-proxy ([#13776](https://togithub.com/vitejs/vite/issues/13776)) ([6b56094](https://togithub.com/vitejs/vite/commit/6b56094)), closes [#13776](https://togithub.com/vitejs/vite/issues/13776)
- fix: prepend `config.base` to vite/env path ([#13941](https://togithub.com/vitejs/vite/issues/13941)) ([8e6cee8](https://togithub.com/vitejs/vite/commit/8e6cee8)), closes [#13941](https://togithub.com/vitejs/vite/issues/13941)
- fix(html): support `import.meta.env` define replacement without quotes ([#13425](https://togithub.com/vitejs/vite/issues/13425)) ([883089c](https://togithub.com/vitejs/vite/commit/883089c)), closes [#13425](https://togithub.com/vitejs/vite/issues/13425)
- fix(proxy): handle error when proxy itself errors ([#13929](https://togithub.com/vitejs/vite/issues/13929)) ([4848e41](https://togithub.com/vitejs/vite/commit/4848e41)), closes [#13929](https://togithub.com/vitejs/vite/issues/13929)
- chore(eslint): allow type annotations ([#13920](https://togithub.com/vitejs/vite/issues/13920)) ([d1264fd](https://togithub.com/vitejs/vite/commit/d1264fd)), closes [#13920](https://togithub.com/vitejs/vite/issues/13920)
### [`v4.4.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small446-2023-07-21-small)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.5...v4.4.6)
- fix: constrain inject helpers for iife ([#13909](https://togithub.com/vitejs/vite/issues/13909)) ([c89f677](https://togithub.com/vitejs/vite/commit/c89f677)), closes [#13909](https://togithub.com/vitejs/vite/issues/13909)
- fix: display manualChunks warning only when a function is not used ([#13797](https://togithub.com/vitejs/vite/issues/13797)) ([#13798](https://togithub.com/vitejs/vite/issues/13798)) ([51c271f](https://togithub.com/vitejs/vite/commit/51c271f)), closes [#13797](https://togithub.com/vitejs/vite/issues/13797) [#13798](https://togithub.com/vitejs/vite/issues/13798)
- fix: do not append `browserHash` on optimized deps during build ([#13906](https://togithub.com/vitejs/vite/issues/13906)) ([0fb2340](https://togithub.com/vitejs/vite/commit/0fb2340)), closes [#13906](https://togithub.com/vitejs/vite/issues/13906)
- fix: use Bun's implementation of `ws` instead of the bundled one ([#13901](https://togithub.com/vitejs/vite/issues/13901)) ([049404c](https://togithub.com/vitejs/vite/commit/049404c)), closes [#13901](https://togithub.com/vitejs/vite/issues/13901)
- feat(client): add guide to press Esc for closing the overlay ([#13896](https://togithub.com/vitejs/vite/issues/13896)) ([da389cc](https://togithub.com/vitejs/vite/commit/da389cc)), closes [#13896](https://togithub.com/vitejs/vite/issues/13896)
### [`v4.4.5`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small445-2023-07-20-small)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.4...v4.4.5)
- fix: "EISDIR: illegal operation on a directory, realpath" error on RA⦠([#13655](https://togithub.com/vitejs/vite/issues/13655)) ([6bd5434](https://togithub.com/vitejs/vite/commit/6bd5434)), closes [#13655](https://togithub.com/vitejs/vite/issues/13655)
- fix: transform error message add file info ([#13687](https://togithub.com/vitejs/vite/issues/13687)) ([6dca41c](https://togithub.com/vitejs/vite/commit/6dca41c)), closes [#13687](https://togithub.com/vitejs/vite/issues/13687)
- fix: warn when publicDir and outDir are nested ([#13742](https://togithub.com/vitejs/vite/issues/13742)) ([4eb3154](https://togithub.com/vitejs/vite/commit/4eb3154)), closes [#13742](https://togithub.com/vitejs/vite/issues/13742)
- fix(build): remove warning about ineffective dynamic import from node_modules ([#13884](https://togithub.com/vitejs/vite/issues/13884)) ([33002dd](https://togithub.com/vitejs/vite/commit/33002dd)), closes [#13884](https://togithub.com/vitejs/vite/issues/13884)
- fix(build): style insert order for UMD builds (fix [#13668](https://togithub.com/vitejs/vite/issues/13668)) ([#13669](https://togithub.com/vitejs/vite/issues/13669)) ([49a1b99](https://togithub.com/vitejs/vite/commit/49a1b99)), closes [#13668](https://togithub.com/vitejs/vite/issues/13668) [#13669](https://togithub.com/vitejs/vite/issues/13669)
- fix(deps): update all non-major dependencies ([#13872](https://togithub.com/vitejs/vite/issues/13872)) ([975a631](https://togithub.com/vitejs/vite/commit/975a631)), closes [#13872](https://togithub.com/vitejs/vite/issues/13872)
- fix(types): narrow down the return type of `defineConfig` ([#13792](https://togithub.com/vitejs/vite/issues/13792)) ([c971f26](https://togithub.com/vitejs/vite/commit/c971f26)), closes [#13792](https://togithub.com/vitejs/vite/issues/13792)
- chore: fix typos ([#13862](https://togithub.com/vitejs/vite/issues/13862)) ([f54e8da](https://togithub.com/vitejs/vite/commit/f54e8da)), closes [#13862](https://togithub.com/vitejs/vite/issues/13862)
- chore: replace `any` with `string` ([#13850](https://togithub.com/vitejs/vite/issues/13850)) ([4606fd8](https://togithub.com/vitejs/vite/commit/4606fd8)), closes [#13850](https://togithub.com/vitejs/vite/issues/13850)
- chore(deps): update dependency prettier to v3 ([#13759](https://togithub.com/vitejs/vite/issues/13759)) ([5a56941](https://togithub.com/vitejs/vite/commit/5a56941)), closes [#13759](https://togithub.com/vitejs/vite/issues/13759)
- docs: fix build.cssMinify link ([#13840](https://togithub.com/vitejs/vite/issues/13840)) ([8a2a3e1](https://togithub.com/vitejs/vite/commit/8a2a3e1)), closes [#13840](https://togithub.com/vitejs/vite/issues/13840)
### [`v4.4.4`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small444-2023-07-14-small)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.3...v4.4.4)
- chore: warning about ssr cjs format removal ([#13827](https://togithub.com/vitejs/vite/issues/13827)) ([4646e9f](https://togithub.com/vitejs/vite/commit/4646e9f)), closes [#13827](https://togithub.com/vitejs/vite/issues/13827)
- fix(esbuild): enable experimentalDecorators by default ([#13805](https://togithub.com/vitejs/vite/issues/13805)) ([e8880f0](https://togithub.com/vitejs/vite/commit/e8880f0)), closes [#13805](https://togithub.com/vitejs/vite/issues/13805)
- fix(scan): skip tsconfigRaw fallback if tsconfig is set ([#13823](https://togithub.com/vitejs/vite/issues/13823)) ([b6155a1](https://togithub.com/vitejs/vite/commit/b6155a1)), closes [#13823](https://togithub.com/vitejs/vite/issues/13823)
- feat(client): close `vite-error-overlay` with Escape key ([#13795](https://togithub.com/vitejs/vite/issues/13795)) ([85bdcda](https://togithub.com/vitejs/vite/commit/85bdcda)), closes [#13795](https://togithub.com/vitejs/vite/issues/13795)
### [`v4.4.3`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small443-2023-07-11-small)
[Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.2...v4.4.3)
- fix: avoid early error when server is closed in ssr ([#13787](https://togithub.com/vitejs/vite/issues/13787)) ([89d01eb](https://togithub.com/vitejs/vite/commit/89d01eb)), closes [#13787](https://togithub.com/vitejs/vite/issues/13787)
- fix(deps): update all non-major dependencies ([#13758](https://togithub.com/vitejs/vite/issues/13758)) ([8ead116](https://togithub.com/vitejs/vite/commit/8ead116)), closes [#13758](https://togithub.com/vitejs/vite/issues/13758)
- fix(server): remove restart guard on restart ([#13789](https://togithub.com/vitejs/vite/issues/13789)) ([2a38ef7](https://togithub.com/vitejs/vite/commit/2a38ef7)), closes [#13789](https://togithub.com/vitejs/vite/issues/13789)
### [`v4.4.2`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small442-2023-07-07-small)
[Compare Source](https://togithub.com/vitejs/vite/compare/487bdcde3399463ac68eb5ab5bc19e5096b4623b...v4.4.2)
- fix(css): use single postcss instance ([#13738](https://togithub.com/vitejs/vite/issues/13738)) ([c02fac4](https://togithub.com/vitejs/vite/commit/c02fac4)), closes [#13738](https://togithub.com/vitejs/vite/issues/13738)
Configuration
π Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
4.4.1
->4.5.3
GitHub Vulnerability Alerts
CVE-2023-49293
Summary
When Vite's HTML transformation is invoked manually via
server.transformIndexHtml
, the original request URL is passed in unmodified, and thehtml
being transformed contains inline module scripts (<script type="module">...</script>
), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string toserver.transformIndexHtml
.Impact
Only apps using
appType: 'custom'
and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.Patches
Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12
Details
Suppose
index.html
contains an inline module script:This script is transformed into a proxy script like
due to Vite's HTML plugin:
https://github.com/vitejs/vite/blob/7fd7c6cebfcad34ae7021ebee28f97b1f28ef3f3/packages/vite/src/node/plugins/html.ts#L429-L465
When
appType: 'spa' | 'mpa'
, Vite serves HTML itself, andhtmlFallbackMiddleware
rewritesreq.url
to the canonical path ofindex.html
,https://github.com/vitejs/vite/blob/73ef074b80fa7252e0c46a37a2c94ba8cba46504/packages/vite/src/node/server/middlewares/htmlFallback.ts#L44-L47
so the
url
passed toserver.transformIndexHtml
is/index.html
.However, if
appType: 'custom'
, HTML is served manually, and ifserver.transformIndexHtml
is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformedhtml-proxy
script varies with the request URL. For example, a request with path/
producesIt is possible to abuse this behavior by crafting a request URL to contain a malicious payload like
so a request to http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E produces HTML output like
which demonstrates XSS.
PoC
vite dev
middleware withappType: 'custom'
?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E
and navigatevite dev
(this shows that vanillavite dev
is not vulnerable, providedhtmlFallbackMiddleware
is used)Detailed Impact
This will probably predominantly affect development-mode SSR, where
vite.transformHtml
is called using the originalreq.url
, per the docs:https://github.com/vitejs/vite/blob/7fd7c6cebfcad34ae7021ebee28f97b1f28ef3f3/docs/guide/ssr.md?plain=1#L114-L126
However, since this vulnerability affects
server.transformIndexHtml
, the scope of impact may be higher to also include other ad-hoc calls toserver.transformIndexHtml
from outside of Vite's own codebase.My best guess at bisecting which versions are vulnerable involves the following test script
and using it I was able to narrow down to #13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0).
CVE-2024-23331
Summary
Vite dev server option
server.fs.deny
can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since
picomatch
defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.See
picomatch
usage, wherenocase
is defaulted tofalse
: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632By requesting raw filesystem paths using augmented casing, the matcher derived from
config.server.fs.deny
fails to block access to sensitive files.PoC
Setup
npm create vite@latest
on a Standard Azure hosted Windows 10 instance.npm run dev -- --host 0.0.0.0
custom.secret
andproduction.pem
vite.config.js
withReproduction
curl -s http://20.12.242.81:5173/@​fs//
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
curl -s http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
Proof
Impact
Who
What
server.fs.deny
are both discoverable, and accessibleCVE-2024-31207
Summary
Vite dev server option
server.fs.deny
did not deny requests for patterns with directories. An example of such a pattern is/foo/**/*
.Impact
Only apps setting a custom
server.fs.deny
that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using--host
orserver.host
config option) are affected.Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.deny
uses picomatch with the config of{ matchBase: true }
. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set{ dot: true }
and that causes dotfiles not to be denied unless they are explicitly defined.Reproduction
Set fs.deny to
['**/.git/**']
and then curl for/.git/config
.matchBase: true
, you can get any file under.git/
(config, HEAD, etc).matchBase: false
, you cannot get any file under.git/
(config, HEAD, etc).Release Notes
vitejs/vite (vite)
### [`v4.5.3`](https://togithub.com/vitejs/vite/compare/v4.5.2...aac695e9f8f29da43c2f7c50c549fa3d3dfeeadc) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.5.2...v4.5.3) ### [`v4.5.2`](https://togithub.com/vitejs/vite/releases/tag/v4.5.2) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.5.1...v4.5.2) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.5.2/packages/vite/CHANGELOG.md) for details. ### [`v4.5.1`](https://togithub.com/vitejs/vite/releases/tag/v4.5.1) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.5.0...v4.5.1) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.5.1/packages/vite/CHANGELOG.md) for details. ### [`v4.5.0`](https://togithub.com/vitejs/vite/releases/tag/v4.5.0) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.12...v4.5.0) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.5.0/packages/vite/CHANGELOG.md) for details. ### [`v4.4.12`](https://togithub.com/vitejs/vite/releases/tag/v4.4.12) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.11...v4.4.12) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.4.12/packages/vite/CHANGELOG.md) for details. ### [`v4.4.11`](https://togithub.com/vitejs/vite/releases/tag/v4.4.11) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.10...v4.4.11) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.4.11/packages/vite/CHANGELOG.md) for details. ### [`v4.4.10`](https://togithub.com/vitejs/vite/releases/tag/v4.4.10) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.9...v4.4.10) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v4.4.10/packages/vite/CHANGELOG.md) for details. ### [`v4.4.9`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small449-2023-08-07-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.8...v4.4.9) - chore: fix eslint warnings ([#14031](https://togithub.com/vitejs/vite/issues/14031)) ([4021a0e](https://togithub.com/vitejs/vite/commit/4021a0e)), closes [#14031](https://togithub.com/vitejs/vite/issues/14031) - chore(deps): update all non-major dependencies ([#13938](https://togithub.com/vitejs/vite/issues/13938)) ([a1b519e](https://togithub.com/vitejs/vite/commit/a1b519e)), closes [#13938](https://togithub.com/vitejs/vite/issues/13938) - fix: dynamic import vars ignored warning ([#14006](https://togithub.com/vitejs/vite/issues/14006)) ([4479431](https://togithub.com/vitejs/vite/commit/4479431)), closes [#14006](https://togithub.com/vitejs/vite/issues/14006) - fix(build): silence warn dynamic import module when inlineDynamicImports true ([#13970](https://togithub.com/vitejs/vite/issues/13970)) ([7a77aaf](https://togithub.com/vitejs/vite/commit/7a77aaf)), closes [#13970](https://togithub.com/vitejs/vite/issues/13970) - perf: improve build times and memory utilization ([#14016](https://togithub.com/vitejs/vite/issues/14016)) ([9d7d45e](https://togithub.com/vitejs/vite/commit/9d7d45e)), closes [#14016](https://togithub.com/vitejs/vite/issues/14016) - perf: replace startsWith with === ([#14005](https://togithub.com/vitejs/vite/issues/14005)) ([f5c1224](https://togithub.com/vitejs/vite/commit/f5c1224)), closes [#14005](https://togithub.com/vitejs/vite/issues/14005) ### [`v4.4.8`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small448-2023-07-31-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.7...v4.4.8) - fix: modulePreload false ([#13973](https://togithub.com/vitejs/vite/issues/13973)) ([488085d](https://togithub.com/vitejs/vite/commit/488085d)), closes [#13973](https://togithub.com/vitejs/vite/issues/13973) - fix: multiple entries with shared css and no JS ([#13962](https://togithub.com/vitejs/vite/issues/13962)) ([89a3db0](https://togithub.com/vitejs/vite/commit/89a3db0)), closes [#13962](https://togithub.com/vitejs/vite/issues/13962) - fix: use file extensions on type imports so they work with `moduleResolution: 'node16'` ([#13947](https://togithub.com/vitejs/vite/issues/13947)) ([aeef670](https://togithub.com/vitejs/vite/commit/aeef670)), closes [#13947](https://togithub.com/vitejs/vite/issues/13947) - fix(css): enhance error message for missing preprocessor dependency ([#11485](https://togithub.com/vitejs/vite/issues/11485)) ([65e5c22](https://togithub.com/vitejs/vite/commit/65e5c22)), closes [#11485](https://togithub.com/vitejs/vite/issues/11485) - fix(esbuild): fix static properties transpile when useDefineForClassFields false ([#13992](https://togithub.com/vitejs/vite/issues/13992)) ([4ca7c13](https://togithub.com/vitejs/vite/commit/4ca7c13)), closes [#13992](https://togithub.com/vitejs/vite/issues/13992) - fix(importAnalysis): strip url base before passing as safeModulePaths ([#13712](https://togithub.com/vitejs/vite/issues/13712)) ([1ab06a8](https://togithub.com/vitejs/vite/commit/1ab06a8)), closes [#13712](https://togithub.com/vitejs/vite/issues/13712) - fix(importMetaGlob): avoid unnecessary hmr of negative glob ([#13646](https://togithub.com/vitejs/vite/issues/13646)) ([844451c](https://togithub.com/vitejs/vite/commit/844451c)), closes [#13646](https://togithub.com/vitejs/vite/issues/13646) - fix(optimizer): avoid double-commit of optimized deps when discovery is disabled ([#13865](https://togithub.com/vitejs/vite/issues/13865)) ([df77991](https://togithub.com/vitejs/vite/commit/df77991)), closes [#13865](https://togithub.com/vitejs/vite/issues/13865) - fix(optimizer): enable experimentalDecorators by default ([#13981](https://togithub.com/vitejs/vite/issues/13981)) ([f8a5ffc](https://togithub.com/vitejs/vite/commit/f8a5ffc)), closes [#13981](https://togithub.com/vitejs/vite/issues/13981) - perf: replace startsWith with === ([#13989](https://togithub.com/vitejs/vite/issues/13989)) ([3aab14e](https://togithub.com/vitejs/vite/commit/3aab14e)), closes [#13989](https://togithub.com/vitejs/vite/issues/13989) - perf: single slash does not need to be replaced ([#13980](https://togithub.com/vitejs/vite/issues/13980)) ([66f522c](https://togithub.com/vitejs/vite/commit/66f522c)), closes [#13980](https://togithub.com/vitejs/vite/issues/13980) - perf: use Intl.DateTimeFormatter instead of toLocaleTimeString ([#13951](https://togithub.com/vitejs/vite/issues/13951)) ([af53a1d](https://togithub.com/vitejs/vite/commit/af53a1d)), closes [#13951](https://togithub.com/vitejs/vite/issues/13951) - perf: use Intl.NumberFormat instead of toLocaleString ([#13949](https://togithub.com/vitejs/vite/issues/13949)) ([a48bf88](https://togithub.com/vitejs/vite/commit/a48bf88)), closes [#13949](https://togithub.com/vitejs/vite/issues/13949) - perf: use magic-string hires boundary for sourcemaps ([#13971](https://togithub.com/vitejs/vite/issues/13971)) ([b9a8d65](https://togithub.com/vitejs/vite/commit/b9a8d65)), closes [#13971](https://togithub.com/vitejs/vite/issues/13971) - chore(reporter): remove unnecessary map ([#13972](https://togithub.com/vitejs/vite/issues/13972)) ([dd9d4c1](https://togithub.com/vitejs/vite/commit/dd9d4c1)), closes [#13972](https://togithub.com/vitejs/vite/issues/13972) - refactor: add new overload to the type of defineConfig ([#13958](https://togithub.com/vitejs/vite/issues/13958)) ([24c12fe](https://togithub.com/vitejs/vite/commit/24c12fe)), closes [#13958](https://togithub.com/vitejs/vite/issues/13958) ### [`v4.4.7`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small447-2023-07-24-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.6...v4.4.7) - fix: `optimizeDeps.include` not working with paths inside packages ([#13922](https://togithub.com/vitejs/vite/issues/13922)) ([06e4f57](https://togithub.com/vitejs/vite/commit/06e4f57)), closes [#13922](https://togithub.com/vitejs/vite/issues/13922) - fix: lightningcss fails with html-proxy ([#13776](https://togithub.com/vitejs/vite/issues/13776)) ([6b56094](https://togithub.com/vitejs/vite/commit/6b56094)), closes [#13776](https://togithub.com/vitejs/vite/issues/13776) - fix: prepend `config.base` to vite/env path ([#13941](https://togithub.com/vitejs/vite/issues/13941)) ([8e6cee8](https://togithub.com/vitejs/vite/commit/8e6cee8)), closes [#13941](https://togithub.com/vitejs/vite/issues/13941) - fix(html): support `import.meta.env` define replacement without quotes ([#13425](https://togithub.com/vitejs/vite/issues/13425)) ([883089c](https://togithub.com/vitejs/vite/commit/883089c)), closes [#13425](https://togithub.com/vitejs/vite/issues/13425) - fix(proxy): handle error when proxy itself errors ([#13929](https://togithub.com/vitejs/vite/issues/13929)) ([4848e41](https://togithub.com/vitejs/vite/commit/4848e41)), closes [#13929](https://togithub.com/vitejs/vite/issues/13929) - chore(eslint): allow type annotations ([#13920](https://togithub.com/vitejs/vite/issues/13920)) ([d1264fd](https://togithub.com/vitejs/vite/commit/d1264fd)), closes [#13920](https://togithub.com/vitejs/vite/issues/13920) ### [`v4.4.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small446-2023-07-21-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.5...v4.4.6) - fix: constrain inject helpers for iife ([#13909](https://togithub.com/vitejs/vite/issues/13909)) ([c89f677](https://togithub.com/vitejs/vite/commit/c89f677)), closes [#13909](https://togithub.com/vitejs/vite/issues/13909) - fix: display manualChunks warning only when a function is not used ([#13797](https://togithub.com/vitejs/vite/issues/13797)) ([#13798](https://togithub.com/vitejs/vite/issues/13798)) ([51c271f](https://togithub.com/vitejs/vite/commit/51c271f)), closes [#13797](https://togithub.com/vitejs/vite/issues/13797) [#13798](https://togithub.com/vitejs/vite/issues/13798) - fix: do not append `browserHash` on optimized deps during build ([#13906](https://togithub.com/vitejs/vite/issues/13906)) ([0fb2340](https://togithub.com/vitejs/vite/commit/0fb2340)), closes [#13906](https://togithub.com/vitejs/vite/issues/13906) - fix: use Bun's implementation of `ws` instead of the bundled one ([#13901](https://togithub.com/vitejs/vite/issues/13901)) ([049404c](https://togithub.com/vitejs/vite/commit/049404c)), closes [#13901](https://togithub.com/vitejs/vite/issues/13901) - feat(client): add guide to press Esc for closing the overlay ([#13896](https://togithub.com/vitejs/vite/issues/13896)) ([da389cc](https://togithub.com/vitejs/vite/commit/da389cc)), closes [#13896](https://togithub.com/vitejs/vite/issues/13896) ### [`v4.4.5`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small445-2023-07-20-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.4...v4.4.5) - fix: "EISDIR: illegal operation on a directory, realpath" error on RA⦠([#13655](https://togithub.com/vitejs/vite/issues/13655)) ([6bd5434](https://togithub.com/vitejs/vite/commit/6bd5434)), closes [#13655](https://togithub.com/vitejs/vite/issues/13655) - fix: transform error message add file info ([#13687](https://togithub.com/vitejs/vite/issues/13687)) ([6dca41c](https://togithub.com/vitejs/vite/commit/6dca41c)), closes [#13687](https://togithub.com/vitejs/vite/issues/13687) - fix: warn when publicDir and outDir are nested ([#13742](https://togithub.com/vitejs/vite/issues/13742)) ([4eb3154](https://togithub.com/vitejs/vite/commit/4eb3154)), closes [#13742](https://togithub.com/vitejs/vite/issues/13742) - fix(build): remove warning about ineffective dynamic import from node_modules ([#13884](https://togithub.com/vitejs/vite/issues/13884)) ([33002dd](https://togithub.com/vitejs/vite/commit/33002dd)), closes [#13884](https://togithub.com/vitejs/vite/issues/13884) - fix(build): style insert order for UMD builds (fix [#13668](https://togithub.com/vitejs/vite/issues/13668)) ([#13669](https://togithub.com/vitejs/vite/issues/13669)) ([49a1b99](https://togithub.com/vitejs/vite/commit/49a1b99)), closes [#13668](https://togithub.com/vitejs/vite/issues/13668) [#13669](https://togithub.com/vitejs/vite/issues/13669) - fix(deps): update all non-major dependencies ([#13872](https://togithub.com/vitejs/vite/issues/13872)) ([975a631](https://togithub.com/vitejs/vite/commit/975a631)), closes [#13872](https://togithub.com/vitejs/vite/issues/13872) - fix(types): narrow down the return type of `defineConfig` ([#13792](https://togithub.com/vitejs/vite/issues/13792)) ([c971f26](https://togithub.com/vitejs/vite/commit/c971f26)), closes [#13792](https://togithub.com/vitejs/vite/issues/13792) - chore: fix typos ([#13862](https://togithub.com/vitejs/vite/issues/13862)) ([f54e8da](https://togithub.com/vitejs/vite/commit/f54e8da)), closes [#13862](https://togithub.com/vitejs/vite/issues/13862) - chore: replace `any` with `string` ([#13850](https://togithub.com/vitejs/vite/issues/13850)) ([4606fd8](https://togithub.com/vitejs/vite/commit/4606fd8)), closes [#13850](https://togithub.com/vitejs/vite/issues/13850) - chore(deps): update dependency prettier to v3 ([#13759](https://togithub.com/vitejs/vite/issues/13759)) ([5a56941](https://togithub.com/vitejs/vite/commit/5a56941)), closes [#13759](https://togithub.com/vitejs/vite/issues/13759) - docs: fix build.cssMinify link ([#13840](https://togithub.com/vitejs/vite/issues/13840)) ([8a2a3e1](https://togithub.com/vitejs/vite/commit/8a2a3e1)), closes [#13840](https://togithub.com/vitejs/vite/issues/13840) ### [`v4.4.4`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small444-2023-07-14-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.3...v4.4.4) - chore: warning about ssr cjs format removal ([#13827](https://togithub.com/vitejs/vite/issues/13827)) ([4646e9f](https://togithub.com/vitejs/vite/commit/4646e9f)), closes [#13827](https://togithub.com/vitejs/vite/issues/13827) - fix(esbuild): enable experimentalDecorators by default ([#13805](https://togithub.com/vitejs/vite/issues/13805)) ([e8880f0](https://togithub.com/vitejs/vite/commit/e8880f0)), closes [#13805](https://togithub.com/vitejs/vite/issues/13805) - fix(scan): skip tsconfigRaw fallback if tsconfig is set ([#13823](https://togithub.com/vitejs/vite/issues/13823)) ([b6155a1](https://togithub.com/vitejs/vite/commit/b6155a1)), closes [#13823](https://togithub.com/vitejs/vite/issues/13823) - feat(client): close `vite-error-overlay` with Escape key ([#13795](https://togithub.com/vitejs/vite/issues/13795)) ([85bdcda](https://togithub.com/vitejs/vite/commit/85bdcda)), closes [#13795](https://togithub.com/vitejs/vite/issues/13795) ### [`v4.4.3`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small443-2023-07-11-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.4.2...v4.4.3) - fix: avoid early error when server is closed in ssr ([#13787](https://togithub.com/vitejs/vite/issues/13787)) ([89d01eb](https://togithub.com/vitejs/vite/commit/89d01eb)), closes [#13787](https://togithub.com/vitejs/vite/issues/13787) - fix(deps): update all non-major dependencies ([#13758](https://togithub.com/vitejs/vite/issues/13758)) ([8ead116](https://togithub.com/vitejs/vite/commit/8ead116)), closes [#13758](https://togithub.com/vitejs/vite/issues/13758) - fix(server): remove restart guard on restart ([#13789](https://togithub.com/vitejs/vite/issues/13789)) ([2a38ef7](https://togithub.com/vitejs/vite/commit/2a38ef7)), closes [#13789](https://togithub.com/vitejs/vite/issues/13789) ### [`v4.4.2`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small442-2023-07-07-small) [Compare Source](https://togithub.com/vitejs/vite/compare/487bdcde3399463ac68eb5ab5bc19e5096b4623b...v4.4.2) - fix(css): use single postcss instance ([#13738](https://togithub.com/vitejs/vite/issues/13738)) ([c02fac4](https://togithub.com/vitejs/vite/commit/c02fac4)), closes [#13738](https://togithub.com/vitejs/vite/issues/13738)Configuration
π Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.