CVE-2024-23331

Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. ### Patches Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17 ### Details Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See `picomatch` usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632 By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. ### PoC **Setup** 1. Created vanilla Vite project using `npm create vite@latest` on a Standard Azure hosted Windows 10 instance. - `npm run dev -- --host 0.0.0.0` - Publicly accessible for the time being here: http://20.12.242.81:5173/ 2. Created dummy secret files, e.g. `custom.secret` and `production.pem` 3. Populated `vite.config.js` with ```javascript export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } } ``` **Reproduction** 1. `curl -s http://20.12.242.81:5173/@fs//` - Descriptive error page reveals absolute filesystem path to project root 2. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js` - Discoverable configuration file reveals locations of secrets 3. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT` - Secrets are directly accessible using case-augmented version of filename **Proof**  ### Impact **Who** - Users with exposed dev servers on environments with case-insensitive filesystems **What** - Files protected by `server.fs.deny` are both discoverable, and accessible

### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. ### Patches Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17 ### Details Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. See `picomatch` usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632 By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. ### PoC **Setup** 1. Created vanilla Vite project using `npm create vite@latest` on a Standard Azure hosted Windows 10 instance. - `npm run dev -- --host 0.0.0.0` - Publicly accessible for the time being here: http://20.12.242.81:5173/ 2. Created dummy secret files, e.g. `custom.secret` and `production.pem` 3. Populated `vite.config.js` with ```javascript export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } } ``` **Reproduction** 1. `curl -s http://20.12.242.81:5173/@fs//` - Descriptive error page reveals absolute filesystem path to project root 2. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js` - Discoverable configuration file reveals locations of secrets 3. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT` - Secrets are directly accessible using case-augmented version of filename **Proof**  ### Impact **Who** - Users with exposed dev servers on environments with case-insensitive filesystems **What** - Files protected by `server.fs.deny` are both discoverable, and accessible

Vite es un framework de herramientas frontend para javascript. La opción del servidor de desarrollo de Vite `server.fs.deny` se puede omitir en sistemas de archivos que no distinguen entre mayúsculas y minúsculas utilizando versiones de nombres de archivos aumentadas entre mayúsculas y minúsculas. Cabe destacar que esto afecta a los servidores alojados en Windows. Esta omisión es similar a CVE-2023-34092, con un área de superficie reducida para hosts que tienen sistemas de archivos que no distinguen entre mayúsculas y minúsculas. Dado que `picomatch` por defecto utiliza coincidencias globales que distinguen entre mayúsculas y minúsculas, pero el servidor de archivos no discrimina; es posible omitir la lista negra. Al solicitar rutas de sistema de archivos sin formato usando mayúsculas aumentadas, el comparador derivado de `config.server.fs.deny` no logra bloquear el acceso a archivos confidenciales. Este problema se ha solucionado en vite@5.0.12, vite@4.5.2, vite@3.2.8 y vite@2.9.17. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben restringir el acceso a los servidores de desarrollo.