Vite ServeStaticFiles Middleware Exposes Path Traversal Risk on Windows, Symlink Systems

A security vulnerability in Vite's core static file server could allow attackers to bypass directory traversal protections. The flaw resides in the `ServeStaticFiles` middleware, where the current defense mechanism using `path.resolve()` with a `'.' +` prefix and a `startsWith()` check is insufficient. This design can be circumvented on case-insensitive filesystems, such as those on Windows, or through manipulation of symbolic links, potentially exposing files outside the intended public directory.

The specific code at risk is located in `packages/vite/src/middleware/ServeStaticFiles.ts`, approximately lines 52-59. The issue is classified as a medium-severity directory traversal vulnerability within the static file serving functionality. This is a critical component for developers using Vite to serve assets in development and production-like environments.

The recommended fix involves replacing the current logic with a more robust method using `path.relative()`. By validating that the resulting relative path does not start with `..` and is not an absolute path, the middleware can properly block traversal attempts. This vulnerability underscores the persistent challenge of secure path sanitization in web frameworks and highlights a specific attack vector that developers on Windows or systems utilizing symlinks must urgently address.