VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-zhj7-qfr7-5ubt

Essentials
Severities (25)
References (11)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-zhj7-qfr7-5ubt
Aliases	CVE-2024-23331 GHSA-c24v-8rfc-w8vw
Summary	Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-178	Improper Handling of Case Sensitivity
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-284	Improper Access Control
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00479	https://api.first.org/data/v1/epss?cve=CVE-2024-23331
epss	0.00479	https://api.first.org/data/v1/epss?cve=CVE-2024-23331
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-c24v-8rfc-w8vw
cvssv3.1	7.5	https://github.com/vitejs/vite
generic_textual	HIGH	https://github.com/vitejs/vite
cvssv3.1	7.5	https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691
generic_textual	HIGH	https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691
cvssv3.1	7.5	https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
generic_textual	HIGH	https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
ssvc	Track	https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
cvssv3.1	7.5	https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278
generic_textual	HIGH	https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278
cvssv3.1	7.5	https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb
generic_textual	HIGH	https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb
cvssv3.1	7.5	https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
cvssv3.1_qr	HIGH	https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
generic_textual	HIGH	https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
ssvc	Track	https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-34092
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-34092
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2024-23331
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-23331
cvssv3.1	7.5	https://vitejs.dev/config/server-options.html#server-fs-deny
generic_textual	HIGH	https://vitejs.dev/config/server-options.html#server-fs-deny
ssvc	Track	https://vitejs.dev/config/server-options.html#server-fs-deny

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-23331
		https://github.com/vitejs/vite
		https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691
		https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278
		https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb
91641c4da0a011d4c5352e88fc68389d4e1289a5		https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
CVE-2023-34092		https://nvd.nist.gov/vuln/detail/CVE-2023-34092
CVE-2024-23331		https://nvd.nist.gov/vuln/detail/CVE-2024-23331
GHSA-c24v-8rfc-w8vw		https://github.com/advisories/GHSA-c24v-8rfc-w8vw
GHSA-c24v-8rfc-w8vw		https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
server-options.html#server-fs-deny		https://vitejs.dev/config/server-options.html#server-fs-deny

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-22T14:54:35Z/ Found at https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-22T14:54:35Z/ Found at https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-34092

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-23331

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://vitejs.dev/config/server-options.html#server-fs-deny

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-22T14:54:35Z/ Found at https://vitejs.dev/config/server-options.html#server-fs-deny

Exploit Prediction Scoring System (EPSS)

Percentile	0.65521
EPSS Score	0.00479
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:28:08.031472+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/23xxx/CVE-2024-23331.json	38.6.0