CVE-2024-45811: Vite's `server.fs.deny` is bypassed when using `?import&raw`
(updated )
The contents of arbitrary files can be returned to the browser.
References
- github.com/advisories/GHSA-9cwx-2883-4wfx
- github.com/vitejs/vite
- github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249
- github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34
- github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd
- github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6
- github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7
- github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx
- nvd.nist.gov/vuln/detail/CVE-2024-45811
Code Behaviors & Features
Detect and mitigate CVE-2024-45811 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →