Dev mode Path traversal in nuxt/framework
Oct 27th 2022
Vite is misconfigured within nuxt to permit any file to be retrieved from the file system.
Vite configuration has
strict set to false.
- Server must be running in developer mode
Vulnerability can be exploited using paths like the following
Proof of Concept
Deploy default playground, http://server/_nuxt/@fs/etc/passwd
This vulnerability permits arbitrary file reads while the dev server is running.
This can provide a wide range of sensitive information on the target server depending on configuration.
Dev mode servers exposed to the internet are a occurrence, Shodan reveals about 100 deployments that would likely be vulnerable in this case.
Strict set to false
PR landed to enable vite fs strict mode: https://github.com/nuxt/framework/pull/8674
/cc @danielroe about bridge
Looks fixed to me, should probably hold off publishing this until bridge is fixed.
Seems fixed https://github.com/nuxt/bridge/commit/4aaf4eb188652af5ba9253d8ecf7319d2db4f951