🚨 [security] Update vite 4.5.5 → 4.5.9 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ vite (4.5.5 → 4.5.9) · Repo · Changelog

Security Advisories 🚨

🚨 Websites were able to send any requests to the development server and read the response in vite

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

• Using the backend integration feature
• Using a reverse proxy in front of Vite
• Accessing the development server via a domain other than localhost or *.localhost
• Using a plugin / framework that connects to the WebSocket server on their own from the browser

Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

Accessing the development server via a domain other than localhost or *.localhost

You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.

Using a plugin / framework that connects to the WebSocket server on their own from the browser

If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.

In that case, you can either:

• fix the plugin / framework code to the make it compatible with the new version of Vite
• set legacy.skipWebSocketTokenCheck: true to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite
  • When enabling this option, make sure that you are aware of the security implications described in the impact section of [2] above.

Mitigation without upgrading Vite

[1]: Permissive default CORS settings

Set server.cors to false or limit server.cors.origin to trusted origins.

[2]: Lack of validation on the Origin header for WebSocket connections

There aren't any mitigations for this.

[3]: Lack of validation on the Host header for HTTP requests

Use Chrome 94+ or use HTTPS for the development server.

Details

There are three causes that allowed malicious websites to send any requests to the development server:

[1]: Permissive default CORS settings

Vite sets the Access-Control-Allow-Origin header depending on server.cors option. The default value was true which sets Access-Control-Allow-Origin: *. This allows websites on any origin to fetch contents served on the development server.

Attack scenario:

1. The attacker serves a malicious web page (http://malicious.example.com).
2. The user accesses the malicious web page.
3. The attacker sends a fetch('http://127.0.0.1:5173/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
4. The attacker gets the content of http://127.0.0.1:5173/main.js.

[2]: Lack of validation on the Origin header for WebSocket connections

Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server did not perform validation on the Origin header and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection (list of the file paths that changed, the file content where the errored happened, etc.), but plugins can send arbitrary messages and may include more sensitive information.

Attack scenario:

1. The attacker serves a malicious web page (http://malicious.example.com).
2. The user accesses the malicious web page.
3. The attacker runs new WebSocket('http://127.0.0.1:5173', 'vite-hmr') by JS in that malicious web page.
4. The user edits some files.
5. Vite sends some HMR messages over WebSocket.
6. The attacker gets the content of the HMR messages.

[3]: Lack of validation on the Host header for HTTP requests

Unless server.https is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.

1. The attacker serves a malicious web page that is served on HTTP (http://malicious.example.com:5173) (HTTPS won't work).
2. The user accesses the malicious web page.
3. The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
4. The attacker sends a fetch('/main.js') request by JS in that malicious web page.
5. The attacker gets the content of http://127.0.0.1:5173/main.js bypassing the same origin policy.

Impact

[1]: Permissive default CORS settings

Users with the default server.cors option may:

• get the source code stolen by malicious websites
• give the attacker access to functionalities that are not supposed to be exposed externally
  • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

[2]: Lack of validation on the Origin header for WebSocket connections

All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.

[3]: Lack of validation on the Host header for HTTP requests

Users using HTTP for the development server and using a browser that is not Chrome 94+ may:

• get the source code stolen by malicious websites
• give the attacker access to functionalities that are not supposed to be exposed externally
  • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

Chrome 94+ users are not affected for [3], because sending a request to a private network page from public non-HTTPS page is forbidden since Chrome 94.

Related Information

Safari has a bug that blocks requests to loopback addresses from HTTPS origins. This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.

PoC

[2]: Lack of validation on the Origin header for WebSocket connections

1. I used the react template which utilizes HMR functionality.

npm create vite@latest my-vue-app-react -- --template react

2. Then on a malicious server, serve the following POC html:

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>

3. Kick off Vite

npm run dev

4. Load the development server (open http://localhost:5173/) as well as the malicious page in the browser.
5. Edit src/App.jsx file and intentionally place a syntax error
6. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed

Here's a video demonstrating the POC:

vite-cswsh.mov

vite-cswsh.mov

Release Notes

4.5.9

Please refer to CHANGELOG.md for details.

4.5.6

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Does any of this look wrong? Please let us know.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	filesystem	0	5.71 kB	isaacs
npm/[email protected]	environment, filesystem, network, shell	0	128 kB	hoten
npm/[email protected]	None	0	1.41 MB	google-wombot
npm/[email protected]	None	0	19 kB	jonschlinkert
npm/[email protected]	None	0	4.37 kB	sindresorhus
npm/[email protected]	None	+1	43 kB	oss-bot
npm/[email protected]	None	0	15.9 kB	pvorb
npm/[email protected]	None	0	11.8 kB	dead_horse
npm/[email protected]	None	0	16 kB	jongleberry
npm/[email protected]	None	0	6.85 kB	jonschlinkert
npm/[email protected]	None	0	114 kB	omgovich
npm/[email protected]	None	0	117 kB	75lb
npm/[email protected]	None	+2	153 kB	75lb
npm/[email protected]	filesystem, shell	0	62.4 kB	abetomo
npm/[email protected]	None	0	4.79 kB	substack
npm/[email protected]	None	0	8 kB	nami-doc
npm/[email protected]	None	+1	813 kB	floridoo
npm/[email protected]	environment, filesystem	+2	423 kB	gustavohenke
npm/[email protected]	None	0	19.1 kB	dougwilson
npm/[email protected]	None	0	10.5 kB	dougwilson
npm/[email protected]	None	0	15.9 kB	phated
npm/[email protected]	network Transitive: environment, eval	+1	46.7 kB	dougwilson
npm/[email protected]	None	0	4.15 kB	jonschlinkert
npm/[email protected]	None	0	678 kB	zloirock
npm/[email protected]	filesystem	0	92 kB	d-fischer
npm/[email protected]	network	0	73.8 kB	lquixada
npm/[email protected]	None	0	83.8 kB	siilwyn
npm/[email protected]	None	0	82.4 kB	feedic
npm/[email protected]	None	0	989 kB	lahmatiy
npm/[email protected]	None	0	66 kB	feedic
npm/[email protected]	None	0	22 kB	ludovicofischer
npm/[email protected]	None	0	6.53 kB	ludovicofischer
npm/[email protected]	Transitive: environment	+1	522 kB	ludovicofischer
npm/[email protected]	None	0	593 kB	lahmatiy
npm/[email protected]	None	0	6.69 MB	kossnocorp
npm/[email protected]	None	0	12 kB	stephenmathieson
npm/[email protected]	None	0	2.94 kB	sindresorhus
npm/[email protected]	None	0	6.09 kB	samverschueren
npm/[email protected]	None	0	9.69 kB	substack
npm/[email protected]	None	0	31.2 kB	tehshrike
npm/[email protected]	None	0	4.45 kB	sindresorhus
npm/[email protected]	None	0	12.5 kB	ljharb
npm/[email protected]	None	0	10.7 kB	doowb
npm/[email protected]	None	0	7.46 kB	tjholowaychuk
npm/[email protected]	None	0	38.6 kB	jriecken
npm/[email protected]	filesystem	0	9.02 kB	dougwilson
npm/[email protected]	None	0	2.55 MB	google-wombot
npm/[email protected]	None	0	86 kB	foray1010
npm/[email protected]	None	0	390 kB	kpdecker
npm/[email protected]	None	0	28.3 kB	feedic
npm/[email protected]	None	0	11.4 kB	feedic
npm/[email protected]	None	0	44.6 kB	feedic
npm/[email protected]	network	0	56.6 kB	feedic
npm/[email protected]	None	0	5.53 kB	raynos
npm/[email protected]	None	0	6.26 kB	dougwilson
npm/[email protected]	eval, filesystem	0	142 kB	mde
npm/[email protected]	None	0	238 kB	kilianvalkhof
npm/[email protected]	None	0	46.6 kB	sindresorhus
npm/[email protected]	None	0	48.3 kB	mathias
npm/[email protected]	None	0	7.86 kB	dougwilson
npm/[email protected]	None	0	6.23 kB	mafintosh
npm/[email protected]	None	0	57.7 kB	feedic
npm/[email protected]	None	0	9.04 kB	qix
npm/[email protected]	None	0	31.8 kB	marvinhagemeister
npm/[email protected]	Transitive: eval	+3	2.12 MB	ljharb
npm/[email protected]	None	0	86.1 kB	guybedford
npm/[email protected]	None	0	8.91 kB	ljharb
npm/[email protected]	environment, filesystem, network, shell	0	130 kB	evanw
npm/[email protected]	None	0	3.66 kB	dougwilson
npm/[email protected]	None	0	2.69 kB	jbnicolai
npm/[email protected]	None	0	78.4 kB	eslintbot
npm/[email protected] 🔁 npm/[email protected]	None	0	32.3 kB	eslintbot
npm/[email protected] 🔁 npm/[email protected]	None	0	3.04 MB	eslintbot
npm/[email protected]	None	0	36.3 kB	michaelficarra
npm/[email protected]	None	0	15.2 kB	rich_harris
npm/[email protected]	filesystem	0	10.8 kB	dougwilson
npm/[email protected]	None	0	38 kB	lpinca
npm/[email protected]	Transitive: environment, filesystem, network	+1	77.3 kB	jonschlinkert
npm/[email protected]	None	0	8.61 kB	phated
npm/[email protected]	None	+1	47.9 kB	jonschlinkert
npm/[email protected]	filesystem	+1	23.1 kB	malept
npm/[email protected] 🔁 npm/[email protected]	None	0	97.6 kB	mrmlnc
npm/[email protected]	filesystem	0	29.8 kB	thejoshwolfe
npm/[email protected]	None	0	8.83 kB	sindresorhus
npm/[email protected]	filesystem	+2	69 kB	mde
npm/[email protected]	None	0	44.1 kB	avoidwork
npm/[email protected]	filesystem	0	6.79 kB	sindresorhus
npm/[email protected]	None	0	12.1 kB	75lb
npm/[email protected]	None	0	6.28 kB	jonschlinkert
npm/[email protected]	None	0	67.4 kB	infusion
npm/[email protected]	None	0	9.9 kB	jonschlinkert
npm/[email protected]	None	0	10.1 kB	dougwilson
npm/[email protected]	filesystem	0	2.22 kB	mafintosh
npm/[email protected]	None	0	63.3 kB	ryanzim
npm/[email protected]	None	0	25.2 kB	ljharb
npm/[email protected]	None	0	17 kB	ljharb
npm/[email protected]	None	0	13 kB	evilebottnawi
npm/[email protected]	None	0	28.9 kB	loganfsmyth
npm/[email protected]	None	0	4.72 kB	stefanpenner
npm/[email protected]	eval	0	39.3 kB	ljharb
npm/[email protected]	None	0	12.2 kB	sindresorhus
npm/[email protected]	None	0	3.71 kB	jonschlinkert
npm/[email protected]	None	0	17.6 kB	nickfitzgerald
npm/[email protected]	None	0	11.4 kB	terkelg
npm/[email protected]	None	0	14.2 kB	terkelg
npm/[email protected]	filesystem	+1	13.4 kB	sindresorhus
npm/[email protected]	None	+1	7.29 kB	sindresorhus
npm/[email protected]	None	0	9.31 kB	ljharb
npm/[email protected]	None	0	7.62 kB	jonschlinkert
npm/[email protected]	None	+1	21.4 kB	jonschlinkert
npm/[email protected]	None	0	2.77 kB	ljharb
npm/[email protected]	None	0	13.1 kB	webreflection
npm/[email protected]	network	+1	27.5 kB	dougwilson
npm/[email protected]	network	0	26 kB	tootallnate
npm/[email protected]	None	0	336 kB	ashtuchkin
npm/[email protected]	None	0	3.03 kB	geelen
npm/[email protected]	None	0	10 kB	evilebottnawi
npm/[email protected]	None	0	6.8 kB	feross
npm/[email protected]	None	0	4.87 kB	sindresorhus
npm/[email protected]	Transitive: filesystem, unsafe	+1	10.8 kB	sindresorhus

🚮 Removed packages: npm/@eslint-community/[email protected], npm/@eslint/[email protected], npm/@eslint/[email protected], npm/@getalby/[email protected], npm/@getalby/[email protected], npm/@humanwhocodes/[email protected], npm/@humanwhocodes/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@swc/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/@vitejs/[email protected], npm/@webbtc/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎