CVE-2023-34092: fix: fs.deny with leading double slash by patak-dev · Pull Request #13348 · vitejs/vite

### Summary Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default [`fs.deny` settings](https://vitejs.dev/config/server-options.html#server-fs-deny) (`['.env', '.env.*', '*.{crt,pem}']`) ### Impact Only users explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected, and only files in the immediate Vite project root folder could be exposed. ### Patches Fixed in [email protected], [email protected], [email protected], [email protected] And in the latest minors of the previous two majors: [email protected], [email protected] ### Details Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, ...