Skip to content

fix(deps): update dependency vite to v6.2.6 [security]#2327

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-vite-vulnerability
Apr 12, 2025
Merged

fix(deps): update dependency vite to v6.2.6 [security]#2327
renovate[bot] merged 1 commit intomainfrom
renovate/npm-vite-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Apr 11, 2025
edited by github-actions bot
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 6.2.5 -> 6.2.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-32395

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

  • explicitly exposing the Vite dev server to the network (using --host or server.host config option)
  • running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@​fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

Release Notes

vitejs/vite (vite)

v6.2.6

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

@renovate renovate bot enabled auto-merge (squash) April 11, 2025 18:14
@github-project-automation github-project-automation bot moved this from New to Waiting in DevOps (NR) Apr 11, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 6385551 to 692c671 Compare April 12, 2025 07:00
@renovate renovate bot merged commit aeab3d4 into main Apr 12, 2025
28 of 29 checks passed
@renovate renovate bot deleted the renovate/npm-vite-vulnerability branch April 12, 2025 07:08
@github-project-automation github-project-automation bot moved this from Waiting to Done in DevOps (NR) Apr 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

DevOps (NR)
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants