Search for packages
| purl | pkg:npm/vite@5.0.11 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-mbnq-b7vj-jyhb
Aliases: CVE-2024-23331 GHSA-c24v-8rfc-w8vw |
Improper Access Control Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-02T04:46:52.331612+00:00 | GitLab Importer | Affected by | VCID-mbnq-b7vj-jyhb | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2024-23331.yml | 38.6.0 |