Main Vulnerability Database Vulnerabilities #VU125306

Path equivalence issue in Vite - CVE-2023-34092

Published: June 1, 2023 / Updated: April 8, 2026

Vulnerability identifier: #VU125306

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-34092

CWE-ID: CWE-50

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Vite

Software vendor:
Vite

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the Vite dev server file access restriction handling when processing requests containing a double forward-slash path. A remote attacker can send a specially crafted request to disclose sensitive information.

Only instances explicitly exposed to the network are affected, and only files in the immediate Vite project root folder could be exposed.

Remediation

Install security update from vendor's website.

External links

https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67

Path equivalence issue in Vite - CVE-2023-34092

Description

Remediation

External links

Please verify you're human