vlun.txt

[Affected Product Code Base]: medusa - v2.0.4
In the Medusa v2 they are running the Medusa Backend API and Medusa Admin Dashboard from the same project, the API endpoints can be accessed from the /store and /admin paths and the Admin Dashboard UI can be accessed from the /app path in the Medusa project.
If the application is running in the development mode there is a misconfiguration in the vite configuration for the Medusa Admin Dashboard which doesn't properly restricts loading the static assets of the Admin Dashboard from ./.medusa/server/public/ on the project it instead uses the root directory of the entire project from where both of these two components are being execuated (The backend API and Admin Dashboard) which can be used to leak the source code files for the custom codes of the Medusa backend API system.
[CVE Impact Other]: NodeJS project source code disclosure and configuration files disclousre incase deployed as a docker container from Dockerfile
Attack Vectors: Due to the misconfiguration of Vite in the development mode of the MedusaJS you can leak the backend API project files through a file inclusion issue from the Medusa Admin Dashboard using /app/@fs/ endpoint