Virtual modules ending in *.svg fail to load

[Fuzzyma]

Describe the bug

I am using a vite plugin to add a virtual module. Just by chance, since its generating an svg, I ended its name in *.svg. This worked fine in vite v5 but fails after upgrading to vite v6. The server seems to resolve the svg differently and cant find in.
Renaming the ending immediately solves this problem.

Reproduction

https://stackblitz.com/edit/vitejs-vite-ecxwyqxf?file=src%2Fmain.js

Steps to reproduce

• load the reproduction and see it not working
• rename both occurrences of the virtual module to not end in *.svg
• see a rectangle appear

System Info

System:
    OS: Linux 5.15 Ubuntu 22.04.5 LTS 22.04.5 LTS (Jammy Jellyfish)
    CPU: (16) x64 AMD Ryzen 7 PRO 6850HS with Radeon Graphics
    Memory: 12.45 GB / 15.28 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
  Binaries:
    Node: 22.14.0 - ~/.nvm/versions/node/v22.14.0/bin/node
    Yarn: 3.3.0 - ~/.nvm/versions/node/v22.14.0/bin/yarn
    npm: 10.9.2 - ~/.nvm/versions/node/v22.14.0/bin/npm
    pnpm: 10.4.1 - ~/.local/share/pnpm/pnpm
    bun: 1.2.3 - ~/.bun/bin/bun
  Browsers:
    Chrome: 134.0.6998.88

Used Package Manager

npm

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[sapphi-red]

Probably it's happening because deniedServingAccessForTransform returns false even if the file does not exist on the file system.

vite/packages/vite/src/node/server/transformRequest.ts

Lines 256 to 260 in 3db608a

	if (options.allowId && !options.allowId(id)) {
	const err: any = new Error(`Denied ID ${id}`)
	err.code = ERR_DENIED_ID
	throw err
	}

vite/packages/vite/src/node/server/middlewares/transform.ts

Lines 252 to 254 in 3db608a

	allowId(id) {
	return !deniedServingAccessForTransform(id, server, res, next)
	},

vite/packages/vite/src/node/server/middlewares/static.ts

Line 271 in 3db608a

if (isFileReadable(cleanUrl(url))) {

vite/packages/vite/src/node/server/middlewares/static.ts

Lines 284 to 286 in 3db608a

	// if the file doesn't exist, we shouldn't restrict this path as it can
	// be an API call. Middlewares would issue a 404 if the file isn't handled
	next()

I guess changing ensureServingAccess to return 3-values (instead of a boolean) and calling next on the caller side can solve this issue.

[sapphi-red]

I think this also happens with the newer version of v5 as it's caused by the security patch.

[Fuzzyma]

I think this also happens with the newer version of v5 as it's caused by the security patch.

possible. My original version was on a fairly old v5

[danielrentz]

Just for the records (stumbled over this as well with our plugin)

Security report: GHSA-xcj6-pq6g-qj4x
Fixed in vite 6.3.0-beta.2: #19782
Backport to vite 5.4.17: #19784