{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31207", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-29T14:16:31.900Z", "datePublished": "2024-04-04T15:51:54.683Z", "dateUpdated": "2024-08-02T01:46:04.483Z"}, "containers": {"cna": {"title": "Vite's `server.fs.deny` did not deny requests for patterns with directories", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}, {"name": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"name": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"name": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"name": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"name": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"name": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 2.7.0, <= 2.9.17", "status": "affected"}, {"version": ">= 3.0.0, <= 3.2.8", "status": "affected"}, {"version": ">= 4.0.0, <= 4.5.2", "status": "affected"}, {"version": ">= 5.0.0, <= 5.0.12", "status": "affected"}, {"version": ">= 5.1.0, <= 5.1.6", "status": "affected"}, {"version": ">= 5.2.0, <= 5.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T15:51:54.683Z"}, "descriptions": [{"lang": "en", "value": "Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18."}], "source": {"advisory": "GHSA-8jhw-289h-jh2g", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31207", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-04T17:23:36.781933Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:36:11.128Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:46:04.483Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}, {"name": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"name": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"name": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"name": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"name": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"name": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31207", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-29T14:16:31.900Z", "datePublished": "2024-04-04T15:51:54.683Z", "dateUpdated": "2024-06-04T17:36:11.128Z"}, "containers": {"cna": {"title": "Vite's `server.fs.deny` did not deny requests for patterns with directories", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}, {"name": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"name": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"name": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"name": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"name": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"name": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 2.7.0, <= 2.9.17", "status": "affected"}, {"version": ">= 3.0.0, <= 3.2.8", "status": "affected"}, {"version": ">= 4.0.0, <= 4.5.2", "status": "affected"}, {"version": ">= 5.0.0, <= 5.0.12", "status": "affected"}, {"version": ">= 5.1.0, <= 5.1.6", "status": "affected"}, {"version": ">= 5.2.0, <= 5.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T15:51:54.683Z"}, "descriptions": [{"lang": "en", "value": "Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18."}], "source": {"advisory": "GHSA-8jhw-289h-jh2g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31207", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-04T17:23:36.781933Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:22.140Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"descriptions": [{"lang": "en", "value": "Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18."}, {"lang": "es", "value": "Vite (palabra francesa para \"r\u00e1pido\", pronunciada /vit/, como \"veet\") es una herramienta de construcci\u00f3n de frontend para mejorar la experiencia de desarrollo de frontend. `server.fs.deny` no niega solicitudes de patrones con directorios. Esta vulnerabilidad ha sido parcheada en las versiones 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 y 2.9.18."}], "id": "CVE-2024-31207", "lastModified": "2024-11-21T09:13:02.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-04T16:15:09.333", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vitejs: \"server.fs.deny\" configuration does not deny requests that include patterns", "id": "2273531", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273531"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "(CWE-200|CWE-284)", "details": ["Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.", "A flaw was found in the Node.js Vite package. When configuring the \"server.fs.deny\" server option to deny requests that include a pattern with directories such as /foo/**/*, the requests were still being allowed. This can potentially expose files or directories containing sensitive information. Only apps setting a custom \"server.fs.deny\" that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using --host or server.host config option are affected."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-31207", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}], "public_date": "2024-04-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-31207\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-31207"], "statement": "This issue is considered of moderate severity due to its potential to expose sensitive files or directories under specific conditions. The vulnerability arises when a custom server.fs.deny pattern including directories, such as /foo/**/*, fails to block access as intended. This flaw can only be exploited if the Vite dev server is explicitly exposed to the network via the --host or server.host options. Therefore, the issue requires both a specific server configuration and intentional network exposure, which mitigates the likelihood of widespread exploitation but still poses a significant risk in environments where these conditions are met, potentially leading to unauthorized access to sensitive data.", "threat_severity": "Moderate"}

{"created": "2025-07-13T11:32:06.344550+00:00", "updated": "2025-07-13T11:32:06.344606+00:00", "vendors": ["vitejs", "vitejs$PRODUCT$vite"]}