CVE-2024-45811 MEDIUM

CVE-2024-45811: server.fs.deny bypassed when using ?import&raw in vite

Vendor Vitejs
Product vite
Weakness CWE-200 · Info exposure
Published September 17, 2024
Last update September 18, 2024
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

September 17, 2024 CVE published
September 18, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-4428 what3words Autosuggest Plugin Setting class-w3w-autosuggest-public.php enqueue_scripts information disclosure CVE-2020-36723 ListingPro - WordPress Directory & Listing Theme < 2.6.1 - Sensitive Information Disclosure CVE-2024-7426 Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.6.0 - Unauthenticated Full Path Disclosure CVE-2023-3705 Information Disclosure Vulnerability in CP-Plus Network Video Recorder CVE-2026-33041 AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php