How severe is GHSA-c24v-8rfc-w8vw?

GHSA-c24v-8rfc-w8vw has a CVSS score of 7.5/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-c24v-8rfc-w8vw?

GHSA-c24v-8rfc-w8vw affects the following packages: vite (npm), vite (npm), vite (npm), vite (npm). Ecosystems affected: npm.

How do I fix GHSA-c24v-8rfc-w8vw?

Update vite to 2.9.17 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-c24v-8rfc-w8vw is resolved across your whole dependency graph.

How do I detect GHSA-c24v-8rfc-w8vw in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for vite. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-c24v-8rfc-w8vw if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-c24v-8rfc-w8vw?

O3 pinpoints whether GHSA-c24v-8rfc-w8vw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-c24v-8rfc-w8vw actively exploited in the wild?

Yes. There are 1 known exploit references for GHSA-c24v-8rfc-w8vw, including 1 in-the-wild exploitation observed on GitHub and other sources. Treat this as actively exploitable and prioritize patching immediately. All exploit code should only be run in an isolated sandbox environment for research or authorized testing — never against production systems without explicit written authorization.

What is the EPSS score for GHSA-c24v-8rfc-w8vw?

GHSA-c24v-8rfc-w8vw has an EPSS (Exploit Prediction Scoring System) score of 0.8%, placing it in the 52th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

When was GHSA-c24v-8rfc-w8vw published, and has it been updated?

GHSA-c24v-8rfc-w8vw was published on January 19, 2024 and was last updated on February 4, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-c24v-8rfc-w8vw

HIGH

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Also known asCVE-2024-23331

Published

Jan 19, 2024

Updated

Feb 4, 2026

Affected

4 pkgs

Patched

4 / 4

Exploits

1 known

EPSS Exploitation Probability

via FIRST.org ↗

0.8%probability of exploitation in next 30 days

Lower Risk52th percentile+0.31%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

4 pkgs affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

vitenpm

143.0Mdownloads / week

Description

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected]

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
- npm run dev -- --host 0.0.0.0
- Publicly accessible for the time being here: http://20.12.242.81:5173/
Created dummy secret files, e.g. custom.secret and production.pem
Populated vite.config.js with

export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

curl -s http://20.12.242.81:5173/@fs//
- Descriptive error page reveals absolute filesystem path to project root
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
- Discoverable configuration file reveals locations of secrets
curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
- Secrets are directly accessible using case-augmented version of filename

Proof Screenshot 2024-01-19 022736

Impact

Who

Users with exposed dev servers on environments with case-insensitive filesystems

What

Files protected by server.fs.deny are both discoverable, and accessible

Affected Packages

4 total 4 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`vite`	≥ 2.7.0&&< 2.9.17	2.9.17
📦npm	`vite`	≥ 3.0.0&&< 3.2.8	3.2.8
📦npm	`vite`	≥ 4.0.0&&< 4.5.2	4.5.2
📦npm	`vite`	≥ 5.0.0&&< 5.0.12	5.0.12

Exploits & PoCs

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

Vite is a frontend tooling framework for javascript. The Vite dev server…

github.comNVDJan 2024

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for vite. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update vite to 2.9.17 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-c24v-8rfc-w8vw is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-c24v-8rfc-w8vw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-c24v-8rfc-w8vw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. ### Patches Fixed in [email protected], [email protected], [email protected], [email protected] ### Details Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a black

O3 Security · Impact-Aware SCA

Is GHSA-c24v-8rfc-w8vw in your dependencies?

O3 detects GHSA-c24v-8rfc-w8vw across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works