{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-23331","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-01-15T15:19:19.442Z","datePublished":"2024-01-19T19:43:17.404Z","dateUpdated":"2025-06-17T21:19:25.323Z"},"containers":{"cna":{"title":"Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem","problemTypes":[{"descriptions":[{"cweId":"CWE-178","lang":"en","description":"CWE-178: Improper Handling of Case Sensitivity","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-200","lang":"en","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-284","lang":"en","description":"CWE-284: Improper Access Control","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw","tags":["x_refsource_CONFIRM"],"url":"https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"},{"name":"https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5","tags":["x_refsource_MISC"],"url":"https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"},{"name":"https://vitejs.dev/config/server-options.html#server-fs-deny","tags":["x_refsource_MISC"],"url":"https://vitejs.dev/config/server-options.html#server-fs-deny"}],"affected":[{"vendor":"vitejs","product":"vite","versions":[{"version":">=2.7.0, < 2.9.17","status":"affected"},{"version":">=3.0.0, <3.2.8","status":"affected"},{"version":">=4.0.0, < 4.5.2","status":"affected"},{"version":">=5.0.0, < 5.0.12","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-01-19T19:43:17.404Z"},"descriptions":[{"lang":"en","value":"Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers."}],"source":{"advisory":"GHSA-c24v-8rfc-w8vw","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T22:59:32.203Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"},{"name":"https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"},{"name":"https://vitejs.dev/config/server-options.html#server-fs-deny","tags":["x_refsource_MISC","x_transferred"],"url":"https://vitejs.dev/config/server-options.html#server-fs-deny"}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-23331","role":"CISA Coordinator","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-01-22T14:54:35.729020Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-17T21:19:25.323Z"}}]}}