Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. Jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Users unable to upgrade should restrict access to dev servers. This issue has been addressed in and Users are advised to upgrade. By requesting raw filesystem paths using augmented casing, the matcher derived from `.deny` fails to block access to sensitive files. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate a blacklist bypass is possible. This bypass is similar to CVE-2023-34092 - with surface area reduced to hosts having case-insensitive filesystems. Notably this affects servers hosted on Windows.
The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames.
Vite is a frontend tooling framework for javascript.
