VulnerableCode Package Details - pkg:npm/vite@4.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-mbnq-b7vj-jyhb Aliases: CVE-2024-23331 GHSA-c24v-8rfc-w8vw	Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.	4.5.2 Affected by 0 other vulnerabilities. 5.0.12 Affected by 0 other vulnerabilities.
VCID-n143-1uka-s3eg Aliases: CVE-2023-34092 GHSA-353f-5xf4-qw67	Use of Incorrectly-Resolved Name or Reference Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.', '.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16.	4.0.5 Affected by 0 other vulnerabilities. 4.1.5 Affected by 0 other vulnerabilities. 4.2.3 Affected by 0 other vulnerabilities. 4.3.9 Affected by 0 other vulnerabilities.
VCID-vyjc-1f5b-p7cs Aliases: GHSA-8jhw-289h-jh2g	Vite's `server.fs.deny` did not deny requests for patterns with directories. [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/*/`.	4.5.3 Affected by 0 other vulnerabilities. 5.0.13 Affected by 0 other vulnerabilities. 5.1.7 Affected by 0 other vulnerabilities. 5.2.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-mbnq-b7vj-jyhb
Aliases:
CVE-2024-23331
GHSA-c24v-8rfc-w8vw

Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

4.5.2
Affected by 0 other vulnerabilities.

5.0.12
Affected by 0 other vulnerabilities.

VCID-n143-1uka-s3eg
Aliases:
CVE-2023-34092
GHSA-353f-5xf4-qw67

Use of Incorrectly-Resolved Name or Reference Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16.

4.0.5
Affected by 0 other vulnerabilities.

4.1.5
Affected by 0 other vulnerabilities.

4.2.3
Affected by 0 other vulnerabilities.

4.3.9
Affected by 0 other vulnerabilities.

VCID-vyjc-1f5b-p7cs
Aliases:
GHSA-8jhw-289h-jh2g

Vite's `server.fs.deny` did not deny requests for patterns with directories. [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`.

4.5.3
Affected by 0 other vulnerabilities.

5.0.13
Affected by 0 other vulnerabilities.

5.1.7
Affected by 0 other vulnerabilities.

5.2.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:47:30.381871+00:00	GitLab Importer	Affected by	VCID-vyjc-1f5b-p7cs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/GHSA-8jhw-289h-jh2g.yml	38.6.0
2026-06-02T04:46:52.318751+00:00	GitLab Importer	Affected by	VCID-mbnq-b7vj-jyhb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2024-23331.yml	38.6.0
2026-06-02T04:44:55.562909+00:00	GitLab Importer	Affected by	VCID-n143-1uka-s3eg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2023-34092.yml	38.6.0