Main Vulnerability Database Vulnerabilities #VU125304

Improper access control in Vite - CVE-2024-31207

Published: April 3, 2024 / Updated: April 8, 2026

Vulnerability identifier: #VU125304

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-31207

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vite

Software vendor:
Vite

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the server.fs.deny file access restriction mechanism when handling requests for paths matching deny patterns with directories. A remote attacker can send a specially crafted request to disclose sensitive information.

Only applications that set a custom server.fs.deny pattern containing directories and explicitly expose the Vite dev server to the network are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g

Improper access control in Vite - CVE-2024-31207

Description

Remediation

External links

Please verify you're human