CVE-2024-31207

Vite's `server.fs.deny` did not deny requests for patterns with directories

Description

Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.

Category

5.9
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.10%
Affected: vitejs vite
Published at:
Updated at:

References

Link Tags
https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g
https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0
https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48
https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67
https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9
https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258
https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649

Frequently Asked Questions

What is the severity of CVE-2024-31207?
CVE-2024-31207 has been scored as a medium severity vulnerability.
How to fix CVE-2024-31207?
To fix CVE-2024-31207, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-31207 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-31207 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-31207?
CVE-2024-31207 affects vitejs vite.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.