TinaCMS is a headless content management system that includes a command-line interface (CLI) tool used during development. Prior to version 2.1.8, the TinaCMS CLI dev server configures the underlying Vite development server with the option server.fs.strict set to false. Vite's server.fs.strict option is designed to restrict filesystem access to prevent unauthorized reading of files outside the project root. Disabling this restriction effectively allows the dev server to serve any file on the host filesystem to clients. Because the dev server is typically accessible over the network during development, any unauthenticated attacker who can reach this server can exploit this misconfiguration to read arbitrary files, potentially exposing sensitive information such as configuration files, credentials, source code, or other private data. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties) and CWE-200 (Information Exposure). The CVSS 3.1 base score is 6.2 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability, and no authentication or user interaction required. The vulnerability is fixed in TinaCMS CLI version 2.1.8 by restoring the default filesystem access restrictions in Vite. There are no known exploits in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized disclosure of sensitive files on the host system running the TinaCMS CLI dev server. This can lead to leakage of source code, environment variables, credentials, or other confidential information that could facilitate further attacks such as privilege escalation, lateral movement, or data breaches. Since the vulnerability requires network access to the development server, its impact is mostly limited to environments where the dev server is exposed beyond localhost or trusted networks. Organizations that expose development environments to broader networks or the internet are at higher risk. The vulnerability does not allow modification or deletion of files, so integrity and availability impacts are minimal. However, the confidentiality breach can have serious consequences depending on the sensitivity of the exposed files and the organization's security posture.

1. Upgrade the TinaCMS CLI to version 2.1.8 or later, which restores Vite's filesystem access restrictions and fixes the vulnerability. 2. Restrict network access to development servers running TinaCMS CLI to trusted internal networks only; avoid exposing dev servers to public or untrusted networks. 3. Use firewall rules or VPNs to limit access to development environments. 4. Regularly audit development environment configurations to ensure that filesystem access restrictions are enabled and that no unintended services are exposed. 5. Educate developers about the risks of exposing dev servers and encourage use of secure development practices, including running dev servers on localhost or isolated environments. 6. Monitor network traffic and logs for unusual access patterns to dev servers that could indicate exploitation attempts. 7. If upgrading immediately is not feasible, consider manually configuring Vite's server.fs.strict option to true in the dev server configuration as a temporary workaround.