Login Sign Up

CVE-2024-23331

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass Vite's server.fs.deny file access restrictions on case-insensitive file systems (like Windows) by using different letter casing in file paths. This enables unauthorized access to sensitive files that should be blocked. It affects Vite development servers running on Windows or other case-insensitive file systems.

💻 Affected Systems

Products:
  • Vite
Versions: All versions before 5.0.12, 4.5.2, 3.2.8, and 2.9.17
Operating Systems: Windows, Any OS with case-insensitive file systems
Default Config Vulnerable: ✅ No
Notes: Only affects systems where server.fs.deny is configured and running on case-insensitive file systems. Development servers are primarily affected.

📦 What is this software?

Vite by Vitejs

View all CVEs affecting Vite →

Vite by Vitejs

View all CVEs affecting Vite →

Vite by Vitejs

View all CVEs affecting Vite →

Vite by Vitejs

View all CVEs affecting Vite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers access sensitive files like .env, configuration files, or source code containing secrets, leading to credential theft, source code exposure, or further system compromise.

🟠

Likely Case

Unauthorized file access to development files containing API keys, database credentials, or other sensitive configuration data.

🟢

If Mitigated

Limited or no impact if proper network segmentation and access controls are in place for development servers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward by modifying URL casing to bypass deny rules. Similar to CVE-2023-34092.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Vendor Advisory: https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw

Restart Required: Yes

Instructions:

1. Check current Vite version. 2. Update to patched version using npm/yarn/pnpm. 3. Restart development server. 4. Verify fix by testing deny rules with case variations.

🔧 Temporary Workarounds

Restrict Development Server Access

all

Limit network access to Vite dev servers to trusted IPs only

Use firewall rules to restrict access
Bind to localhost only: vite --host localhost

Use Case-Sensitive File System

linux

Run Vite on case-sensitive file systems where possible

🧯 If You Can't Patch

  • Do not expose Vite development servers to untrusted networks
  • Implement additional file access controls at OS/network level

🔍 How to Verify

Check if Vulnerable:

Check if running vulnerable Vite version on case-insensitive file system with server.fs.deny configured

Check Version:

npm list vite or check package.json

Verify Fix Applied:

Test that file access is properly denied when using different casing on protected paths

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns with case variations
  • Access attempts to denied paths with different casing

Network Indicators:

  • HTTP requests to Vite dev server with unusual casing patterns

SIEM Query:

source="vite" AND (path:* OR url:* AND (case OR uppercase OR lowercase))

📊 Metadata

CVE ID: CVE-2024-23331
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-178
Published: January 19, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23331, you might also want to check these:

CVE-2022-29604 9.8

This vulnerability in ONOS (Open Network Operating System) causes improper handling of case sensitiv...

Same vulnerability type (CWE-178)
CVE-2023-3545 9.8

This vulnerability allows unauthenticated attackers to bypass file upload security in Chamilo LMS on...

Same vulnerability type (CWE-178)
CVE-2026-27588 9.1

Caddy servers with host lists exceeding 100 entries have a case-sensitivity vulnerability in the HTT...

Same vulnerability type (CWE-178)