CVE-2024-45811

low-risk

Published 2024-09-17

Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.8/10 Medium

ADJACENT_NETWORK / HIGH complexity

References (2)

https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34

https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx

/ 100

low-risk

Severity 12/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal