CVE-2023-34092

Description

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (`//`). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. ### Steps to Fix. **Update Vite**: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. **Secure the server configuration**: In your `vite.config.js` file, review and update the server configuration options to restrict access to unauthorized requests or directories. ### Impact Only users explicitly exposing the Vite dev server to the network (using `--host` or the [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@**4.3.9**, vite@**4.2.3**, vite@**4.1.5**, vite@**4.0.5** and in the latest minors of the previous two majors, vite@**3.2.7** and vite@**2.9.16**. ### Details Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using `pnpm run dev`.\n3. Directly access the file via url using double forward-slash (`//`) (e.g: `//.env`, `//.env.local`)\n4. The server option `fs.deny` was successfully bypassed. Proof Images: \n

How to fix CVE-2023-34092

To remediate CVE-2023-34092, upgrade the affected package to a fixed version below.

• —upgrade to 2.9.16 or later

Is CVE-2023-34092 being exploited?

Likely — EPSS is 56.7%, placing CVE-2023-34092 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.