Skip to content

⬆️ Update dependency vite to v6.2.7 [SECURITY] - autoclosed #5923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
renovate wants to merge 1 commit into from
Closed

⬆️ Update dependency vite to v6.2.7 [SECURITY] - autoclosed #5923

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Apr 23, 2025
edited by dubzzz
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 6.2.4 -> 6.2.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

CVE-2025-32395

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

  • explicitly exposing the Vite dev server to the network (using --host or server.host config option)
  • running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@​fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

  • Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
  • Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

image
image

Vite allows server.fs.deny to be bypassed with .svg or relative paths

CVE-2025-31486 / GHSA-xcj6-pq6g-qj4x

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details
.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC
npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite has an server.fs.deny bypass with an invalid request-target

CVE-2025-32395 / GHSA-356w-63v5-8wf4

More information

Details

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

  • explicitly exposing the Vite dev server to the network (using --host or server.host config option)
  • running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)
Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC
npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@​fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite's server.fs.deny bypassed with /. for files under project root

CVE-2025-46565 / GHSA-859w-5945-r5v3

More information

Details

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

  • Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
  • Examples of other patterns: **/.git/**, .git/**, .git/**/*
Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

image
image

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

vitejs/vite (vite)

v6.2.7

Compare Source

Please refer to CHANGELOG.md for details.

v6.2.6

Compare Source

Please refer to CHANGELOG.md for details.

v6.2.5

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from dubzzz as a code owner April 23, 2025 20:53
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Apr 23, 2025
@changeset-bot
Copy link

changeset-bot bot commented Apr 23, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 44290e5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Apr 23, 2025
edited
Loading

@fast-check/examples

@fast-check/ava

npm i https://pkg.pr.new/@fast-check/ava@5923

@fast-check/expect-type

npm i https://pkg.pr.new/@fast-check/expect-type@5923

@fast-check/jest

npm i https://pkg.pr.new/@fast-check/jest@5923

fast-check

npm i https://pkg.pr.new/fast-check@5923

@fast-check/poisoning

npm i https://pkg.pr.new/@fast-check/poisoning@5923

@fast-check/packaged

npm i https://pkg.pr.new/@fast-check/packaged@5923

@fast-check/vitest

npm i https://pkg.pr.new/@fast-check/vitest@5923

@fast-check/worker

npm i https://pkg.pr.new/@fast-check/worker@5923

commit: 44290e5

@github-actions
Copy link
Contributor

github-actions bot commented Apr 23, 2025

👋 A preview of the new documentation is available at: http://6809541dbd2f0c3da6ac7dc5--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from dfa0daa to f73063e Compare April 24, 2025 06:50
@github-actions
Copy link
Contributor

github-actions bot commented Apr 24, 2025

👋 A preview of the new documentation is available at: http://6809dfd9adb7b925dc66e6c2--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch 5 times, most recently from 029fcb7 to 01de058 Compare April 27, 2025 13:53
@github-actions
Copy link
Contributor

github-actions bot commented Apr 27, 2025

👋 A preview of the new documentation is available at: http://680e385d0cf9b70ed28d6d9f--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 01de058 to 045695a Compare April 27, 2025 16:15
@github-actions
Copy link
Contributor

github-actions bot commented Apr 27, 2025

👋 A preview of the new documentation is available at: http://680e590fda1d4e575bf61cf3--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 045695a to 900625b Compare April 30, 2025 22:30
@renovate renovate bot changed the title ⬆️ Update dependency vite to v6.2.6 [SECURITY] ⬆️ Update dependency vite to v6.2.7 [SECURITY] Apr 30, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Apr 30, 2025

👋 A preview of the new documentation is available at: http://6812a53187fb9c61d988ea33--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch 2 times, most recently from d282a11 to ab98d01 Compare May 1, 2025 21:10
@github-actions
Copy link
Contributor

github-actions bot commented May 1, 2025

👋 A preview of the new documentation is available at: http://6813e3ebe529ce26bb3e1107--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ab98d01 to fab014e Compare May 3, 2025 20:50
@github-actions
Copy link
Contributor

github-actions bot commented May 3, 2025

👋 A preview of the new documentation is available at: http://681682553e44f3e679b11d81--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from fab014e to a137ba3 Compare May 8, 2025 07:55
@github-actions
Copy link
Contributor

github-actions bot commented May 8, 2025

👋 A preview of the new documentation is available at: http://681c648b72a102d748ecb74f--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from a137ba3 to fa4dd05 Compare May 13, 2025 18:20
@github-actions
Copy link
Contributor

github-actions bot commented May 13, 2025

👋 A preview of the new documentation is available at: http://68238e1b4ab7063c0a460d72--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from fa4dd05 to 1d28c56 Compare May 13, 2025 18:44
@github-actions
Copy link
Contributor

github-actions bot commented May 13, 2025

👋 A preview of the new documentation is available at: http://68239424a67211066f5edb71--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 1d28c56 to 10b3778 Compare May 19, 2025 17:53
@github-actions
Copy link
Contributor

github-actions bot commented May 19, 2025

👋 A preview of the new documentation is available at: http://682b70d55d332bc06bbbdac4--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch 2 times, most recently from 992fa1e to 546d03f Compare May 26, 2025 21:17
@github-actions
Copy link
Contributor

github-actions bot commented May 26, 2025

👋 A preview of the new documentation is available at: http://6834db7afddf71937632b67d--dubzzz-fast-check.netlify.app

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 546d03f to a151869 Compare May 26, 2025 21:35
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 7f3f604 to 44290e5 Compare May 26, 2025 21:45
@github-actions
Copy link
Contributor

github-actions bot commented May 26, 2025

👋 A preview of the new documentation is available at: http://6834e23884f12ba1559a1c8c--dubzzz-fast-check.netlify.app

@renovate renovate bot changed the title ⬆️ Update dependency vite to v6.2.7 [SECURITY] ⬆️ Update dependency vite to v6.2.7 [SECURITY] - autoclosed May 26, 2025
@renovate renovate bot closed this May 26, 2025
@renovate renovate bot deleted the renovate/npm-vite-vulnerability branch May 26, 2025 22:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dubzzz dubzzz Awaiting requested review from dubzzz dubzzz is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant