CVE-2024-23331 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2024-23331 Interim 1 7 2026-03-05T02:50:47Z current 2025-01-18T00:48:06Z 2026-03-05T02:50:47Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2024-23331 Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IL7QOYRPFRGRS6UKU6ZYHI76FWFFUJNK/ E-Mail link for openSUSE-SU-2025:14663-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 16.0 SUSE Package Hub 15 SP6 openSUSE Leap 15.6 openSUSE Tumbleweed system-user-velociraptor-1.0.0-160000.2.2 system-user-velociraptor-1.0.0-bp156.3.3.1 velociraptor-0.7.0.4.git142.862ef23-1.1 velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 velociraptor-0.7.0.4.git152.fb24dfd-160000.2.2 velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 velociraptor-client-0.7.0.4.git152.fb24dfd-160000.2.2 system-user-velociraptor-1.0.0-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 velociraptor-0.7.0.4.git152.fb24dfd-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 velociraptor-client-0.7.0.4.git152.fb24dfd-160000.2.2 as a component of SUSE Linux Enterprise Server 16.0 system-user-velociraptor-1.0.0-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 as a component of SUSE Package Hub 15 SP6 system-user-velociraptor-1.0.0-bp156.3.3.1 as a component of openSUSE Leap 15.6 velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 as a component of openSUSE Leap 15.6 velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 as a component of openSUSE Leap 15.6 velociraptor-0.7.0.4.git142.862ef23-1.1 as a component of openSUSE Tumbleweed Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. CVE-2024-23331 SUSE Linux Enterprise Server 16.0:system-user-velociraptor-1.0.0-160000.2.2 SUSE Linux Enterprise Server 16.0:velociraptor-0.7.0.4.git152.fb24dfd-160000.2.2 SUSE Linux Enterprise Server 16.0:velociraptor-client-0.7.0.4.git152.fb24dfd-160000.2.2 SUSE Package Hub 15 SP6:system-user-velociraptor-1.0.0-bp156.3.3.1 SUSE Package Hub 15 SP6:velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 SUSE Package Hub 15 SP6:velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 openSUSE Leap 15.6:system-user-velociraptor-1.0.0-bp156.3.3.1 openSUSE Leap 15.6:velociraptor-0.7.0.4.git142.862ef23-bp156.3.3.1 openSUSE Leap 15.6:velociraptor-client-0.7.0.4.git142.862ef23-bp156.3.3.1 openSUSE Tumbleweed:velociraptor-0.7.0.4.git142.862ef23-1.1 important 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N