Sign In

GHSA-4w7w-66w2-5vf9

ADVISORY - github

Summary

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

  1. Create a minimal PoC sourcemap outside the project root
    cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF
  2. Start the Vite dev server (example)
    pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
  3. Confirm that direct /@fs access is blocked by strict (returns 403)
  4. Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-4w7w-66w2-5vf9
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-200CWE-22

CVSS SCORE

6.3medium