Exposed Vite Dev Server in Production Enables Full Database Exfiltration
The Risk
A cryptocurrency platform accidentally left a development tool running on their live website. This allowed anyone to download their entire database without logging in, including 6 admin accounts, API access keys, and a password to their private code repository. An attacker could have taken full control of the website, injected fake wallet addresses to redirect customer funds, or accessed private source code. The equivalent of leaving the keys to the building taped to the front door.
The Vulnerability
The platform's CMS admin panel was served by a Vite development server running in production. Vite exposes a /@fs/ endpoint that serves files from the local filesystem within its configured allowlist directory. No authentication was required. Requesting files outside the allowlist returned a 403 error that helpfully disclosed the allowlist root path.
The Attack
The Full Database
The CMS used SQLite as its default database, stored inside the project directory. A single GET request downloaded the entire 6.1MB database file containing:
- 6 admin accounts with bcrypt password hashes (all with super admin privileges)
- 5 active registration tokens (potential direct admin account creation without knowing a password)
- 5 API tokens (3 with full access, 2 read-only)
- All CMS content for the platform's website
Source Code and Secrets
All project source files were readable, including configuration files containing the admin JWT secret, API token salt, transfer token salt, and application keys.
Git Repository
The .git/ directory was fully accessible, exposing a GitHub Personal Access Token embedded in the remote URL, the full commit history, and the private repository name.
Infrastructure Details
Git logs and server paths revealed the cloud region, private IP address, and that the server was running on a standard cloud compute instance.
Multiple Attack Paths
Password Cracking
Download the database, extract the bcrypt hashes, and crack them. Login at the admin panel with super admin access.
Registration Token Abuse
The database contained active registration tokens. Using one of these with the admin registration endpoint would create a new super admin account without needing any existing credentials.
Source Code Token Replay
API tokens from the database combined with the token verification logic from the source code could enable direct API access.
Version Control Access
The GitHub PAT from the git config could authenticate to GitHub and potentially access private repositories belonging to the organization.
Compounding Factor
The CMS version was vulnerable to a known session expiration flaw. Admin JWTs were not invalidated after logout or account deactivation and could be renewed indefinitely. Even after rotating all passwords, any previously captured JWT would remain valid for 30 days. Only rotating the JWT signing secret would invalidate all existing sessions.
The Impact
- Full database exfiltration with admin credential theft
- CMS admin takeover via password cracking or registration token abuse
- GitHub PAT exposure with access to private repositories
- Content injection on a cryptocurrency platform (dangerous for phishing, fake wallet addresses)
- Persistent access even after password rotation due to session expiration flaw
Remediation
- Block filesystem access endpoints at the edge/WAF
- Rebuild the CMS admin in production mode (no dev server)
- Remove
.git/from deployed servers - Rotate all admin passwords, API tokens, the GitHub PAT, and all signing secrets
- Update the CMS to patch the session expiration vulnerability
- Move the database outside the web-served directory or migrate to PostgreSQL