Skip to content

Security: Vite Server Configured with Overly Permissive Host Settings#261

Closed
tomaioo wants to merge 1 commit into
selkies-project:mainfrom
tomaioo:fix/security/vite-server-configured-with-overly-permi
Closed

Security: Vite Server Configured with Overly Permissive Host Settings#261
tomaioo wants to merge 1 commit into
selkies-project:mainfrom
tomaioo:fix/security/vite-server-configured-with-overly-permi

Conversation

@tomaioo

@tomaioo tomaioo commented Jun 20, 2026

Copy link
Copy Markdown

Summary

Security: Vite Server Configured with Overly Permissive Host Settings

Problem

Severity: Medium | File: addons/selkies-web-core/vite.config.js:L7

Multiple Vite configuration files (vite.config.js) have 'allowedHosts: true' which allows all hosts, and server host set to '0.0.0.0'. This could expose the development server to external networks and potentially allow DNS rebinding attacks or unauthorized access to the development environment.

Solution

Restrict allowedHosts to specific trusted domains instead of allowing all hosts. Use environment-specific configurations to only allow broad access in development, never in production. Consider using a reverse proxy with proper host validation for production deployments.

Changes

  • addons/selkies-web-core/vite.config.js (modified)

Multiple Vite configuration files (vite.config.js) have 'allowedHosts: true' which allows all hosts, and server host set to '0.0.0.0'. This could expose the development server to external networks and potentially allow DNS rebinding attacks or unauthorized access to the development environment.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Vite server configuration in addons/selkies-web-core/vite.config.js to restrict the host to 127.0.0.1 and specify allowed hosts. The reviewer pointed out that explicitly defining allowedHosts is redundant and potentially restrictive when host is set to 127.0.0.1, as Vite 6 automatically handles loopback restrictions by default.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +9 to +10
host: '127.0.0.1',
allowedHosts: ['localhost', '127.0.0.1'],

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Specifying allowedHosts explicitly is redundant when host is set to '127.0.0.1'. By default, Vite 6 automatically restricts allowed hosts to localhost and loopback IP addresses (including IPv6 loopback ::1) when allowedHosts is omitted. Explicitly defining this array is unnecessary and could potentially block other valid loopback addresses.

Suggested change
host: '127.0.0.1',
allowedHosts: ['localhost', '127.0.0.1'],
host: '127.0.0.1',

@ehfd

ehfd commented Jul 6, 2026

Copy link
Copy Markdown
Member

Incorporated into #254.

@ehfd ehfd closed this Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants