Improper Handling of Case Sensitivity in Vite - CVE-2024-23331

 

Improper Handling of Case Sensitivity in Vite - CVE-2024-23331

Published: January 19, 2024 / Updated: April 8, 2026


Vulnerability identifier: #VU125305
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-23331
CWE-ID: CWE-178
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Vite
Affected software:
Vite

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the Vite dev server file access restriction for server.fs.deny when handling raw filesystem path requests on case-insensitive filesystems. A remote attacker can send a specially crafted request using case-augmented filenames to disclose sensitive information.

This issue affects exposed dev servers hosted on case-insensitive filesystems, notably Windows.


How to mitigate CVE-2024-23331

Install security update from vendor's website.

Sources