Skip to content

chore(deps): update devdependencies vite from v6.2.3 to v6.2.4 [security] - abandoned#628

Merged
danadajian merged 3 commits intomainfrom
renovate/npm-vite-vulnerability
Apr 4, 2025
Merged

chore(deps): update devdependencies vite from v6.2.3 to v6.2.4 [security] - abandoned#628
danadajian merged 3 commits intomainfrom
renovate/npm-vite-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 31, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 6.2.3 -> 6.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

  • base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
  • content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

Release Notes

vitejs/vite (vite)

v6.2.4

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

@renovate renovate bot added dependencies Pull requests that update a dependency file patch-version renovate labels Mar 31, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Mar 31, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title chore(deps): update devdependencies vite from v6.2.3 to v6.2.4 [security] chore(deps): update devdependencies vite from v6.2.3 to v6.2.4 [security] - abandoned Apr 1, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Apr 1, 2025

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

@danadajian danadajian enabled auto-merge (squash) April 4, 2025 12:36
@danadajian danadajian merged commit effdb18 into main Apr 4, 2025
3 checks passed
@danadajian danadajian deleted the renovate/npm-vite-vulnerability branch April 4, 2025 12:38
@eg-oss-ci
Copy link

eg-oss-ci commented Apr 7, 2025

🎉 This PR is included in version 1.25.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danadajian danadajian danadajian approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file patch-version released renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eg-oss-ci @danadajian