HIGH · CVSS 7.5
CVE-2023-49090 — Vite arbitrary file read
Vite's dev server could be tricked into returning arbitrary local files to a crafted URL request, exposing secrets, SSH keys, or other filesystem content.
Affects
- vite < 4.5.2
- vite < 5.0.5
What an attacker does
The attacker sends a URL with path traversal sequences to a Vite dev server exposed to LAN or the internet. Before the patch, Vite's filesystem resolver normalized paths in a way that allowed escape from the project root.
How to detect
Check Vite version. Never expose `vite dev` to the internet.
How to fix
Upgrade Vite to 4.5.2+ / 5.0.5+.
How Securie catches it
Securie flags vulnerable Vite versions + warns on configs that bind to 0.0.0.0.