CVE-2024-31207: 
JavaScript vulnerability analysis and mitigation

CVE-2024-31207 affects Vite, a frontend build tooling system. The vulnerability was discovered in the server.fs.deny functionality which failed to properly deny requests for patterns with directories. This security issue was disclosed on April 4, 2024, and affects multiple versions of Vite including versions up to 5.2.5, 5.1.6, 5.0.12, 4.5.2, 3.2.8, and 2.9.17 (GitHub Advisory).

The vulnerability stems from the use of picomatch with the configuration { matchBase: true }, which only matches the basename of files rather than the full path due to a bug. Additionally, the configuration did not set { dot: true }, causing dotfiles not to be denied unless explicitly defined. The issue has been assigned a CVSS v3.1 score of 5.9 (Medium) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability only affects applications that set a custom server.fs.deny with patterns including directories and explicitly expose the Vite dev server to the network using --host or server.host config option. When exploited, it could allow unauthorized access to files that should have been denied by the configured patterns (GitHub Advisory).

The vulnerability has been patched in versions 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10, and 2.9.18. Users should upgrade to these or later versions to address the security issue (GitHub Advisory).