DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-V2WJ-Q39Q-566R: GHSA-V2WJ-Q39Q-566R: Vite `server.fs.deny` Bypass via Query Parameters

#security #cve #cybersecurity #ghsa

GHSA-V2WJ-Q39Q-566R: Vite server.fs.deny Bypass via Query Parameters

Vulnerability ID: GHSA-V2WJ-Q39Q-566R
CVSS Score: 7.5
Published: 2026-04-06

Vite development server contains a high-severity vulnerability where the server.fs.deny access control mechanism can be bypassed by appending specific query parameters to file requests. This allows unauthorized retrieval of restricted files, including sensitive environment variables and source code.

TL;DR

An improper access control flaw in Vite's development server allows attackers to bypass server.fs.deny restrictions by appending query parameters (e.g., ?raw) to requested paths, leading to sensitive information disclosure.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Improper Access Control
  • Attack Vector: Network
  • Authentication Required: None
  • Impact: Information Disclosure
  • CVSSv3 Score: 7.5 (High)
  • CWE ID: CWE-284, CWE-200
  • Exploit Status: PoC Available

Affected Systems

  • Vite Development Server
  • Vite: < 7.3.2 (Fixed in: 7.3.2)
  • Vite: >= 8.0.0, < 8.0.5 (Fixed in: 8.0.5)

Code Analysis

Commit: a9a3df2

fix: check server.fs after stripping query as well (#22160)

@@ -x,y +x,y @@
-  if (rawRE.test(id) || urlRE.test(id) || inlineRE.test(id) || svgRE.test(id)) {
-    return checkLoadingAccess(config, id) !== 'allowed'
+  if (rawRE.test(id) || urlRE.test(id) || inlineRE.test(id) || svgRE.test(id)) {
+    return (
+      checkLoadingAccess(config, cleanUrl(id)) !== 'allowed' ||
+      checkLoadingAccess(config, id) !== 'allowed'
+    )
   }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade to a patched version of Vite (v7.3.2 or v8.0.5)
  • Restrict network access to the development server (avoid binding to 0.0.0.0)
  • Implement strong network isolation for development environments
  • Use dedicated secret management tools rather than storing sensitive data in plain .env files

Remediation Steps:

  1. Audit project dependencies to identify the currently installed version of Vite.
  2. Update the package.json file to require Vite version 7.3.2, 8.0.5, or later.
  3. Run npm install or yarn install to pull the updated packages.
  4. Restart any running Vite development server processes to ensure the new code is executed.
  5. Review .env files for any sensitive production credentials and rotate them if the development server was previously exposed to untrusted networks.

References

Read the full report for GHSA-V2WJ-Q39Q-566R on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)