CVE-2024-23331: 
JavaScript vulnerability analysis and mitigation

Vite, a frontend tooling framework for JavaScript, contains a vulnerability (CVE-2024-23331) in its dev server option server.fs.deny that can be bypassed on case-insensitive file systems using case-augmented versions of filenames. This particularly affects servers hosted on Windows. The vulnerability was discovered on January 19, 2024, and affects Vite versions from 2.7.0 up to 5.0.11. The issue has been patched in versions 5.0.12, 4.5.2, 3.2.8, and 2.9.17 (GitHub Advisory).

The vulnerability stems from picomatch defaulting to case-sensitive glob matching while the file server doesn't discriminate between cases. Since the matcher derived from config.server.fs.deny fails to block access to sensitive files when using augmented casing, attackers can bypass the blacklist protection. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no required privileges or user interaction (GitHub Advisory).

When exploited, this vulnerability allows attackers to access sensitive files that should be protected by the server.fs.deny configuration. Files such as .env, certificates, and other sensitive files become accessible through case-manipulated requests, particularly on Windows and other case-insensitive filesystems (GitHub Advisory).

Users are strongly advised to upgrade to the patched versions: vite@5.0.12, vite@4.5.2, vite@3.2.8, or vite@2.9.17. For users unable to upgrade immediately, it is recommended to restrict access to dev servers. The vulnerability has been fixed by adding the nocase: true option to the picomatch configuration (Vite Patch).