Improper Handling of Case Sensitivity in Vite - CVE-2024-23331
Published: January 19, 2024 / Updated: April 8, 2026
Vulnerability identifier: #VU125305
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-23331
CWE-ID: CWE-178
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Vite
Vite
Software vendor:
Vite
Vite
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the Vite dev server file access restriction for server.fs.deny when handling raw filesystem path requests on case-insensitive filesystems. A remote attacker can send a specially crafted request using case-augmented filenames to disclose sensitive information.
This issue affects exposed dev servers hosted on case-insensitive filesystems, notably Windows.
Remediation
Install security update from vendor's website.