Skip to content

chore(deps): update dependency vite to v5.4.17 [security]#228

Merged
lukaw3d merged 2 commits into
masterfrom
renovate/npm-vite-vulnerability
Apr 7, 2025
Merged

chore(deps): update dependency vite to v5.4.17 [security]#228
lukaw3d merged 2 commits into
masterfrom
renovate/npm-vite-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 7, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 5.4.16 -> 5.4.17 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

Release Notes

vitejs/vite (vite)

v5.4.17

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@lukaw3d lukaw3d force-pushed the renovate/npm-vite-vulnerability branch from 1e4068d to 36f9669 Compare April 7, 2025 18:04
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 7, 2025
edited
Loading

Deployed to Cloudflare Pages

Latest commit: 36f96699aa2c8f191d207361ddb8b1a6481920a3
Status:✅ Deploy successful!
Preview URL: https://32315786.rose-app.pages.dev
Alias: https://pr-228.rose-app.pages.dev

@lukaw3d
Copy link
Copy Markdown
Contributor

lukaw3d commented Apr 7, 2025

Fixed broken deploy since #179 (comment)

@lukaw3d lukaw3d merged commit 6f7eeb2 into master Apr 7, 2025
5 checks passed
@lukaw3d lukaw3d deleted the renovate/npm-vite-vulnerability branch April 7, 2025 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@buberdds buberdds Awaiting requested review from buberdds buberdds is a code owner

@csillag csillag Awaiting requested review from csillag

@lubej lubej Awaiting requested review from lubej lubej is a code owner

1 more reviewer

@lukaw3d lukaw3d lukaw3d approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lukaw3d