chore(deps): update dependency vite to v6 [security] #509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

dwightjack merged 1 commit into main from renovate/npm-vite-vulnerability

Apr 2, 2025

Contributor

renovate bot commented Apr 1, 2025

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`5.4.16` -> `6.2.4`

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
content of non-allowed files is exposed using ?raw?import

/@fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init

Release Notes

vitejs/vite (vite)

`v6.2.4`

Please refer to CHANGELOG.md for details.

`v6.2.3`

Please refer to CHANGELOG.md for details.

`v6.2.2`

fix: await client buildStart on top level buildStart (#19624) (b31faab), closes #19624
fix(css): inline css correctly for double quote use strict (#19590) (d0aa833), closes #19590
fix(deps): update all non-major dependencies (#19613) (363d691), closes #19613
fix(indexHtml): ensure correct URL when querying module graph (#19601) (dc5395a), closes #19601
fix(preview): use preview https config, not server (#19633) (98b3160), closes #19633
fix(ssr): use optional chaining to prevent "undefined is not an object" happening in `ssrRewriteStac (4309755), closes #19612
feat: show friendly error for malformed base (#19616) (2476391), closes #19616
feat(worker): show asset filename conflict warning (#19591) (367d968), closes #19591
chore: extend commit hash correctly when ambigious with a non-commit object (#19600) (89a6287), closes #19600

`v6.2.1`

refactor: remove isBuild check from preAliasPlugin (#19587) (c9e086d), closes #19587
refactor: restore endsWith usage (#19554) (6113a96), closes #19554
refactor: use applyToEnvironment in internal plugins (#19588) (f678442), closes #19588
fix(css): stabilize css module hashes with lightningcss in dev mode (#19481) (92125b4), closes #19481
fix(deps): update all non-major dependencies (#19555) (f612e0f), closes #19555
fix(reporter): fix incorrect bundle size calculation with non-ASCII characters (#19561) (437c0ed), closes #19561
fix(sourcemap): combine sourcemaps with multiple sources without matched source (#18971) (e3f6ae1), closes #18971
fix(ssr): named export should overwrite export all (#19534) (2fd2fc1), closes #19534
feat: add *?url&no-inline type and warning for .json?inline / .json?no-inline (#19566) (c0d3667), closes #19566
test: add glob import test case (#19516) (aa1d807), closes #19516
test: convert config playground to unit tests (#19568) (c0e68da), closes #19568
test: convert resolve-config playground to unit tests (#19567) (db5fb48), closes #19567
perf: flush compile cache after 10s (#19537) (6c8a5a2), closes #19537
chore(css): move environment destructuring after condition check (#19492) (c9eda23), closes #19492
chore(html): remove unnecessary value check (#19491) (797959f), closes #19491

`v6.2.0`

fix(deps): update all non-major dependencies (#19501) (c94c9e0), closes #19501
fix(worker): string interpolation in dynamic worker options (#19476) (07091a1), closes #19476
chore: use unicode cross icon instead of x (#19497) (5c70296), closes #19497

`v6.1.3`

Please refer to CHANGELOG.md for details.

`v6.1.2`

Please refer to CHANGELOG.md for details.

`v6.1.1`

fix: ensure .[cm]?[tj]sx? static assets are JS mime (#19453) (e7ba55e), closes #19453
fix: ignore *.ipv4 address in cert (#19416) (973283b), closes #19416
fix(css): run rewrite plugin if postcss plugin exists (#19371) (bcdb51a), closes #19371
fix(deps): bump tsconfck (#19375) (746a583), closes #19375
fix(deps): update all non-major dependencies (#19392) (60456a5), closes #19392
fix(deps): update all non-major dependencies (#19440) (ccac73d), closes #19440
fix(html): ignore malformed src attrs (#19397) (aff7812), closes #19397
fix(worker): fix web worker type detection (#19462) (edc65ea), closes #19462
refactor: remove custom .jxl mime (#19457) (0c85464), closes #19457
feat: add support for injecting debug IDs (#18763) (0ff556a), closes #18763
chore: update 6.1.0 changelog (#19363) (fa7c211), closes #19363

`v6.1.0`

Features

feat: show hosts in cert in CLI (#19317) (a5e306f), closes #19317
feat: support for env var for defining allowed hosts (#19325) (4d88f6c), closes #19325
feat: use native runtime to import the config (#19178) (7c2a794), closes #19178
feat: print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0), closes #19212
perf(css): only run postcss when needed (#19061) (30194fa), closes #19061
feat: add support for .jxl (#18855) (57b397c), closes #18855
feat: add the builtins environment resolve (#18584) (2c2d521), closes #18584
feat: call Logger for plugin logs in build (#13757) (bf3e410), closes #13757
feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b), closes #19259
feat: expose createServerModuleRunnerTransport (#18730) (8c24ee4), closes #18730
feat: support async for proxy.bypass (#18940) (a6b9587), closes #18940
feat: support log related functions in dev (#18922) (3766004), closes #18922
feat: use module runner to import the config (#18637) (b7e0e42), closes #18637
feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985), closes #19072
feat(optimizer): support bun text lockfile (#18403) (05b005f), closes #18403
feat(reporter): add wasm to the compressible assets regex (#19085) (ce84142), closes #19085
feat(worker): support dynamic worker option fields (#19010) (d0c3523), closes #19010

Fixes

fix: avoid builtStart during vite optimize (#19356) (fdb36e0), closes #19356
fix(build): fix stale build manifest on watch rebuild (#19361) (fcd5785), closes #19361
fix: allow expanding env vars in reverse order (#19352) (3f5f2bd), closes #19352
fix: avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf), closes #19324
fix(html): fix css disorder when building multiple entry html (#19143) (e7b4ba3), closes #19143
fix: don't call buildStart hooks for vite optimize (#19347) (19ffad0), closes #19347
fix: don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d), closes #19318
fix: respect top-level server.preTransformRequests (#19272) (12aaa58), closes #19272
fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6), closes #19313
fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373), closes #19268 #19269
fix(deps): update all non-major dependencies (#19296) (2bea7ce), closes #19296
fix(resolve): preserve hash/search of file url (#19300) (d1e1b24), closes #19300
fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b), closes #19312
fix(ssr): fix transform error due to export all id scope (#19331) (e28bce2), closes #19331
fix(ssr): pretty print plugin error in ssrLoadModule (#19290) (353c467), closes #19290
fix: change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3), closes #19210
fix: correctly resolve hmr dep ids and fallback to url (#18840) (b84498b), closes #18840
fix: make --force work for all environments (#18901) (51a42c6), closes #18901
fix: use loc.file from rollup errors if available (#19222) (ce3fe23), closes #19222
fix(deps): update all non-major dependencies (#19190) (f2c07db), closes #19190
fix(hmr): register inlined assets as a dependency of CSS file (#18979) (eb22a74), closes #18979
fix(resolve): support resolving TS files by JS extension specifiers in JS files (#18889) (612332b), closes #18889
fix(ssr): combine empty source mappings (#19226) (ba03da2), closes #19226
fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #1 (56ad2be), closes #19245 #18875 #19247

Chore

refactor: deprecate vite optimize command (#19348) (6e0e3c0), closes #19348
chore: update deprecate links domain (#19353) (2b2299c), closes #19353
docs: rephrase browser range and features relation (#19286) (97569ef), closes #19286
docs: update build.manifest jsdocs (#19332) (4583781), closes #19332
chore: remove outdated code comment about scanImports not being used in ssr (#19285) (fbbc6da), closes #19285
chore: unneeded name in lockfileFormats (#19275) (96092cb), closes #19275
chore(deps): update dependency strip-literal to v3 (#19231) (1172d65), closes #19231

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

`v6.0.13`

Please refer to CHANGELOG.md for details.

`v6.0.12`

Please refer to CHANGELOG.md for details.

`v6.0.11`

fix: preview.allowedHosts with specific values was not respected (#19246) (aeb3ec8), closes #19246
fix: allow CORS from loopback addresses by default (#19249) (3d03899), closes #19249

`v6.0.10`

fix: try parse server.origin URL (#19241) (2495022), closes #19241

`v6.0.9`

fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (bd896fb)
fix!: default server.cors: false to disallow fetching from untrusted origins (b09572a)
fix: verify token for HMR WebSocket connection (029dcd6)

`v6.0.8`

fix: avoid SSR HMR for HTML files (#19193) (3bd55bc), closes #19193
fix: build time display 7m 60s (#19108) (cf0d2c8), closes #19108
fix: don't resolve URL starting with double slash (#19059) (35942cd), closes #19059
fix: ensure server.close() only called once (#19204) (db81c2d), closes #19204
fix: resolve.conditions in ResolvedConfig was defaultServerConditions (#19174) (ad75c56), closes #19174
fix: tree shake stringified JSON imports (#19189) (f2aed62), closes #19189
fix: use shared sigterm callback (#19203) (47039f4), closes #19203
fix(deps): update all non-major dependencies (#19098) (8639538), closes #19098
fix(optimizer): use correct default install state path for yarn PnP (#19119) (e690d8b), closes #19119
fix(types): improve ESBuildOptions.include / exclude type to allow readonly (string | RegExp)[] (ea53e70), closes #19146
chore(deps): update dependency pathe to v2 (#19139) (71506f0), closes #19139

`v6.0.7`

fix: fix minify when builder.sharedPlugins: true (#19025) (f7b1964), closes #19025
fix: skip the plugin if it has been called before with the same id and importer (#19016) (b178c90), closes #19016
fix(html): error while removing vite-ignore attribute for inline script (#19062) (a492253), closes #19062
fix(ssr): fix semicolon injection by ssr transform (#19097) (1c102d5), closes #19097
perf: skip globbing for static path in warmup (#19107) (677508b), closes #19107
feat(css): show lightningcss warnings (#19076) (b07c036), closes #19076

`v6.0.6`

fix: replace runner-side path normalization with fetchModule-side resolve (#18361) (9f10261), closes #18361
fix(css): resolve style tags in HTML files correctly for lightningcss (#19001) (afff05c), closes #19001
fix(css): show correct error when unknown placeholder is used for CSS modules pattern in lightningcs (9290d85), closes #19070
fix(resolve): handle package.json with UTF-8 BOM (#19000) (902567a), closes #19000
fix(ssrTransform): preserve line offset when transforming imports (#19004) (1aa434e), closes #19004
chore: fix typo in comment (#19067) (eb06ec3), closes #19067
chore: update comment about build.target (#19047) (0e9e81f), closes #19047
revert: unpin esbuild version (#19043) (8bfe247), closes #19043
test(ssr): test virtual module with query (#19044) (a1f4b46), closes #19044

`v6.0.5`

fix: esbuild regression (pin to 0.24.0) (#19027) (4359e0d), closes #19027

`v6.0.4`

fix: this.resolve skipSelf should not skip for different id or import (#18903) (4727320), closes #18903
fix: fallback terser to main thread when function options are used (#18987) (12b612d), closes #18987
fix: merge client and ssr values for pluginContainer.getModuleInfo (#18895) (258cdd6), closes #18895
fix(css): escape double quotes in url() when lightningcss is used (#18997) (3734f80), closes #18997
fix(css): root relative import in sass modern API on Windows (#18945) (c4b532c), closes #18945
fix(css): skip non css in custom sass importer (#18970) (21680bd), closes #18970
fix(deps): update all non-major dependencies (#18967) (d88d000), closes #18967
fix(deps): update all non-major dependencies (#18996) (2b4f115), closes #18996
fix(optimizer): keep NODE_ENV as-is when keepProcessEnv is true (#18899) (8a6bb4e), closes #18899
fix(ssr): recreate ssrCompatModuleRunner on restart (#18973) (7d6dd5d), closes #18973
chore: better validation error message for dts build (#18948) (63b82f1), closes #18948
chore(deps): update all non-major dependencies (#18916) (ef7a6a3), closes #18916
chore(deps): update dependency @rollup/plugin-node-resolve to v16 (#18968) (62fad6d), closes #18968
refactor: make internal invoke event to use the same interface with handleInvoke (#18902) (27f691b), closes #18902
refactor: simplify manifest plugin code (#18890) (1bfe21b), closes #18890
test: test ModuleRunnerTransport invoke API (#18865) (e5f5301), closes #18865
test: test output hash changes (#18898) (bfbb130), closes #18898

`v6.0.3`

fix: handle postcss load unhandled rejections (#18886) (d5fb653), closes #18886
fix: make handleInvoke interface compatible with invoke (#18876) (a1dd396), closes #18876
fix: make result interfaces for ModuleRunnerTransport#invoke more explicit (#18851) (a75fc31), closes #18851
fix: merge environments.ssr.resolve with root ssr config (#18857) (3104331), closes #18857
fix: no permission to create vite config file (#18844) (ff47778), closes #18844
fix: remove CSS import in CJS correctly in some cases (#18885) (690a36f), closes #18885
fix(config): bundle files referenced with imports field (#18887) (2b5926a), closes #18887
fix(config): make stacktrace path correct when sourcemap is enabled (#18833) (20fdf21), closes #18833
fix(css): rewrite url when image-set and url exist at the same time (#18868) (d59efd8), closes #18868
fix(deps): update all non-major dependencies (#18853) (5c02236), closes #18853
fix(html): allow unexpected question mark in tag name (#18852) (1b54e50), closes #18852
fix(module-runner): decode uri for file url passed to import (#18837) (88e49aa), closes #18837
refactor: fix logic errors found by no-unnecessary-condition rule (#18891) (ea802f8), closes #18891
chore: fix duplicate attributes issue number in comment (#18860) (ffee618), closes #18860

`v6.0.2`

chore: run typecheck in unit tests (#18858) (49f20bb), closes #18858
chore: update broken links in changelog (#18802) (cb754f8), closes #18802
chore: update broken links in changelog (#18804) (47ec49f), closes #18804
fix: don't store temporary vite config file in node_modules if deno (#18823) (a20267b), closes #18823
fix(css): referencing aliased svg asset with lightningcss enabled errored (#18819) (ae68958), closes #18819
fix(manifest): use style.css as a key for the style file for cssCodesplit: false (#18820) (ec51115), closes #18820
fix(optimizer): resolve all promises when cancelled (#18826) (d6e6194), closes #18826
fix(resolve): don't set builtinModules to external by default (#18821) (2250ffa), closes #18821
fix(ssr): set ssr.target: 'webworker' defaults as fallback (#18827) (b39e696), closes #18827
feat(css): format lightningcss error (#18818) (dac7992), closes #18818
refactor: make properties of ResolvedServerOptions and ResolvedPreviewOptions required (#18796) (51a5569), closes #18796

`v6.0.1`

fix: preview.allowedHosts with specific values was not respected (#19246) (aeb3ec8), closes #19246
fix: allow CORS from loopback addresses by default (#19249) ([3d03899](https://redirect.github.com/vitejs/vite/commit/3d038997377a30022b6a6b7916e0b4b5d8b9a3

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

changeset-bot bot commented Apr 1, 2025 •

edited

Loading

⚠️ No Changeset found

Latest commit: 8cbdbd7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR


          chore(deps): update dependency vite to v6 [security]

8cbdbd7

[skip netlify]

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 8b8d41c to 8cbdbd7 Compare

April 1, 2025 21:45

dwightjack merged commit dffab8a into main

8 checks passed

renovate bot deleted the renovate/npm-vite-vulnerability branch

April 2, 2025 09:07

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet