CVE-2023-34092
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass Vite's file system restrictions by using double forward-slashes (//) in URLs, potentially exposing sensitive files like .env and certificate files. Only affects users who explicitly expose their Vite development server to the network using --host or server.host configuration. The exposure is limited to files in the immediate Vite project root folder.
💻 Affected Systems
- Vite
📦 What is this software?
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive configuration files (.env, .env.*), private keys (*.crt, *.pem), or other project files containing secrets, credentials, or sensitive data from the exposed Vite development server.
Likely Case
Exposure of development environment secrets, API keys, database credentials, or other sensitive configuration data stored in project root files.
If Mitigated
No impact if Vite dev server is not exposed to the network or if proper network segmentation and access controls are implemented.
🎯 Exploit Status
Exploitation is trivial - attackers can simply append double forward-slashes to URLs to bypass file restrictions. Proof of concept is available in the GitHub advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, vite@2.9.16
Vendor Advisory: https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67
Restart Required: Yes
Instructions:
1. Update Vite to the patched version for your major release. 2. Run 'npm update vite' or 'yarn upgrade vite'. 3. Restart your development server. 4. Verify the fix by checking the version with 'vite --version'.
🔧 Temporary Workarounds
Disable network exposure
allDo not expose Vite development server to the network by avoiding --host flag and server.host configuration
Remove '--host' flag from dev scripts
Set server.host: false in vite.config.js
Network restriction
linuxRestrict Vite dev server to localhost only using firewall rules
sudo ufw deny from any to any port 5173
sudo iptables -A INPUT -p tcp --dport 5173 -j DROP
🧯 If You Can't Patch
- Do not expose Vite development server to any network (use localhost only)
- Implement network-level access controls to restrict access to Vite dev server port (default 5173)
🔍 How to Verify
Check if Vulnerable:
Check if Vite version is below patched versions and if server is exposed with --host or server.host configCheck Version:
vite --version or check package.json for vite versionVerify Fix Applied:
Verify Vite version is at or above patched version and test that double-slash URLs no longer bypass file restrictions📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns with double forward-slashes in URLs
- Access attempts to .env, .env.*, *.crt, *.pem files
Network Indicators:
- HTTP requests containing '//' in paths to Vite dev server
- External IPs accessing Vite dev server port
SIEM Query:
source="vite_logs" AND (url="*//*" OR path="*//*")🔗 References
- https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32
- https://github.com/vitejs/vite/pull/13348
- https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67
- https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32
- https://github.com/vitejs/vite/pull/13348
- https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67
