CVE-2023-34092— Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-34092
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
路径等价:’//multiple/leading/slash’
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vite 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vite是Vite开源的一种新型的前端构建工具。 Vite 2.9.16版本、3.2.7版本、4.0.5版本、4.1.5版本、4.2.3版本、4.3.9版本存在安全漏洞。攻击者利用该漏洞从应用程序的Vite根路径读取文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2023-34092
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | test-cve-2023-34092 | https://github.com/FlapyPan/test-cve-2023-34092 | POC Details |
| 2 | Vite dev server could allow reading files from the Vite project root by bypassing server.fs.deny with double forward-slash paths (//). This affects exposed dev servers only. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-34092.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-34092
请登录查看更多情报信息。
- https://github.com/vitejs/vite/pull/13348x_refsource_MISC
- https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2023-34092
IV. Related Vulnerabilities
Same product: vite
- CVE-2026-39365
Vite has a Path Traversal in Optimized Deps `.map` Handling - CVE-2026-39364
Vite has a `server.fs.deny` bypass with queries - CVE-2026-39363
Vite Affected by Arbitrary File Read via Vite Dev Server Web - CVE-2025-62522
vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-58752
Vite's `server.fs` settings were not applied to HTML files
Same vendor: vitejs
- CVE-2026-39365
Vite has a Path Traversal in Optimized Deps `.map` Handling - CVE-2026-39364
Vite has a `server.fs.deny` bypass with queries - CVE-2026-39363
Vite Affected by Arbitrary File Read via Vite Dev Server Web - CVE-2025-68155
@vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_ - CVE-2025-67489
@vitejs/plugin-rsc Remote Code Execution through unsafe dyna
V. Comments for CVE-2023-34092
No comments yet