Path equivalence issue in Vite - CVE-2023-34092

 

Path equivalence issue in Vite - CVE-2023-34092

Published: June 1, 2023 / Updated: April 8, 2026


Vulnerability identifier: #VU125306
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-34092
CWE-ID: CWE-50
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Vite
Affected software:
Vite

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the Vite dev server file access restriction handling when processing requests containing a double forward-slash path. A remote attacker can send a specially crafted request to disclose sensitive information.

Only instances explicitly exposed to the network are affected, and only files in the immediate Vite project root folder could be exposed.


How to mitigate CVE-2023-34092

Install security update from vendor's website.

Sources