Main Vulnerability Database SB2024040382

SB2024040382 - Improper access control in Vite

Published: April 3, 2024 Updated: April 8, 2026

Security Bulletin ID SB2024040382

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper access control (CVE-ID: CVE-2024-31207)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the server.fs.deny file access restriction mechanism when handling requests for paths matching deny patterns with directories. A remote attacker can send a specially crafted request to disclose sensitive information.

Only applications that set a custom server.fs.deny pattern containing directories and explicitly expose the Vite dev server to the network are vulnerable.

Remediation

Install update from vendor's website.

References

https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g