Skip to content

chore(deps): update devdependencies vite from v6.2.4 to v6.2.5 [security] - abandoned#633

Merged
danadajian merged 3 commits intomainfrom
renovate/npm-vite-vulnerability
Apr 19, 2025
Merged

chore(deps): update devdependencies vite from v6.2.4 to v6.2.5 [security] - abandoned#633
danadajian merged 3 commits intomainfrom
renovate/npm-vite-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Apr 4, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 6.2.4 -> 6.2.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

Release Notes

vitejs/vite (vite)

v6.2.5

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

@renovate renovate bot added dependencies Pull requests that update a dependency file patch-version renovate labels Apr 4, 2025
@renovate
Copy link
Contributor Author

renovate bot commented Apr 4, 2025

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate
Copy link
Contributor Author

renovate bot commented Apr 5, 2025

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

@renovate renovate bot changed the title chore(deps): update devdependencies vite from v6.2.4 to v6.2.5 [security] chore(deps): update devdependencies vite from v6.2.4 to v6.2.5 [security] - abandoned Apr 5, 2025
@danadajian danadajian enabled auto-merge (squash) April 19, 2025 14:42
@danadajian danadajian merged commit a2ae354 into main Apr 19, 2025
3 checks passed
@danadajian danadajian deleted the renovate/npm-vite-vulnerability branch April 19, 2025 14:44
@eg-oss-ci
Copy link

eg-oss-ci commented Apr 22, 2025

🎉 This PR is included in version 1.26.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danadajian danadajian danadajian approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file patch-version released renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eg-oss-ci @danadajian