CVE-2024-23331 Overview
CVE-2024-23331 is a path traversal vulnerability in Vite, a JavaScript frontend tooling framework. The flaw allows attackers to bypass the server.fs.deny allowlist on case-insensitive filesystems by requesting filenames with altered casing. Servers running on Windows are primarily affected. The issue arises because picomatch performs case-sensitive glob matching, while the underlying file server accesses files case-insensitively. Attackers exploiting this mismatch can read sensitive files that the dev server intends to block. The vulnerability is tracked under [CWE-178: Improper Handling of Case Sensitivity].
Critical Impact
Remote unauthenticated attackers can read arbitrary files on a Vite dev server hosted on a case-insensitive filesystem, leading to disclosure of source code, credentials, and configuration data.
Affected Products
- Vite versions prior to 2.9.17, 3.2.8, 4.5.2, and 5.0.12
- Vite dev servers running on Microsoft Windows hosts
- Any Vite deployment on case-insensitive filesystems (including macOS default APFS configurations)
Discovery Timeline
- 2024-01-19 - CVE-2024-23331 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-23331
Vulnerability Analysis
Vite exposes a development server with a server.fs.deny configuration option. This option accepts glob patterns identifying files the dev server must not serve, such as .env files or private keys. The matching engine is picomatch, which performs case-sensitive comparisons by default. When the dev server resolves a requested path, however, it relies on the host operating system's file API. On Windows and other case-insensitive filesystems, C:\app\.env and C:\app\.ENV resolve to the same file. The mismatch between case-sensitive pattern matching and case-insensitive file resolution creates a blacklist bypass. An attacker requesting a sensitive path with non-canonical casing evades the deny rule and receives the file contents. This issue is the case-sensitivity variant of CVE-2023-34092.
Root Cause
The root cause is inconsistent casing semantics between the picomatch glob matcher and the underlying filesystem call. picomatch treats .env and .Env as distinct strings, so the deny pattern fails to match. The Node.js fs API then reads the file using the operating system's case-insensitive lookup, returning the protected content.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to the Vite dev server using a raw filesystem path with altered casing. For example, instead of requesting /@fs/C:/project/.env, the attacker requests /@fs/C:/project/.ENV. The deny pattern does not match the altered casing, and Vite serves the file. Exploitation requires only network access to the dev server and produces high-confidentiality impact without affecting integrity or availability.
No verified proof-of-concept code is published in the referenced advisories. See the GitHub Security Advisory GHSA-c24v-8rfc-w8vw for additional technical context.
Detection Methods for CVE-2024-23331
Indicators of Compromise
- HTTP requests to Vite dev server endpoints containing /@fs/ with mixed-case path segments targeting sensitive files such as .env, .ENV, id_RSA, or config.JSON
- Access log entries showing 200 responses for paths that should be blocked by server.fs.deny
- Dev server log entries indicating file reads outside the configured project root
Detection Strategies
- Inspect Vite dev server access logs for requests with non-canonical casing on filenames known to be in the deny list
- Compare configured server.fs.deny patterns against served file paths using case-insensitive comparison to surface bypass attempts
- Apply web application firewall rules that normalize request casing before matching against blocklists
Monitoring Recommendations
- Alert on any external network connection to dev server ports (commonly 5173) on Windows or macOS developer workstations
- Monitor for unexpected exposure of dev servers beyond localhost, particularly when --host is enabled
- Track installed Vite versions across developer endpoints and flag versions below the patched releases
How to Mitigate CVE-2024-23331
Immediate Actions Required
- Upgrade Vite to 5.0.12, 4.5.2, 3.2.8, or 2.9.17 depending on the major version in use
- Audit all developer endpoints running Windows or macOS for vulnerable Vite installations
- Ensure dev servers are bound to localhost only and never exposed to untrusted networks
Patch Information
The maintainers fixed the issue in commit 91641c4, which normalizes path casing before applying server.fs.deny matching on case-insensitive filesystems. Patched versions are vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Details are published in the GitHub Security Advisory.
Workarounds
- Restrict dev server access to trusted local interfaces using server.host: '127.0.0.1' in vite.config.js
- Place the dev server behind authenticated network controls such as VPN or SSH tunneling when remote access is required
- Avoid storing sensitive credentials inside the Vite project root so that a bypass yields no actionable data
# Upgrade Vite to a patched release
npm install vite@5.0.12 --save-dev
# Verify installed version
npx vite --version
# Restrict dev server to localhost in vite.config.js
# server: { host: '127.0.0.1', strictPort: true }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
