Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency vite to v6.1.3 [security] #2145

Merged
merged 1 commit into from
Mar 31, 2025
Merged

chore(deps): update dependency vite to v6.1.3 [security] #2145

merged 1 commit into from
Mar 31, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 25, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 6.0.9 -> 6.1.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

  • base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
  • content of non-allowed files is exposed using ?raw?import

/@&#8203;fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@&#8203;fs/C:/windows/win.ini?import&?inline=1.wasm?init

Release Notes

vitejs/vite (vite)

v6.1.3

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.2

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.1

Compare Source

v6.1.0

Compare Source

Features
Fixes
Chore
Beta Changelogs
6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

v6.0.13

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.12

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.11

Compare Source

v6.0.10

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the Type: Dependency Dependencies fixes label Mar 25, 2025
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Mar 25, 2025
edited
Loading

Deploying vue-i18n-next with  Cloudflare Pages  Cloudflare Pages

Latest commit: f2c08bb
Status: ✅  Deploy successful!
Preview URL: https://5ee6d323.vue-i18n-next.pages.dev
Branch Preview URL: https://renovate-npm-vite-vulnerabil.vue-i18n-next.pages.dev

View logs

@github-actions GitHub Actions
Copy link

Size Report

Bundles

File Size Gzip Brotli
core.esm-browser.prod.js 37.81 kB 11.57 kB 10.32 kB
core.global.prod.js 30.98 kB 10.72 kB 9.65 kB
core.runtime.esm-browser.prod.js 23.53 kB 7.66 kB 6.84 kB
core.runtime.global.prod.js 17.96 kB 6.99 kB 6.28 kB
message-compiler.esm-browser.prod.js 19.29 kB 5.76 kB 5.14 kB
message-compiler.global.prod.js 17.32 kB 5.55 kB 4.98 kB
petite-vue-i18n-core.esm-browser.prod.js 20.21 kB 6.79 kB 6.14 kB
petite-vue-i18n-core.global.prod.js 15.49 kB 5.99 kB 5.43 kB
petite-vue-i18n.esm-browser.prod.js 36.71 kB 11.27 kB 10.11 kB
petite-vue-i18n.global.prod.js 29.72 kB 10.12 kB 9.15 kB
petite-vue-i18n.runtime.esm-browser.prod.js 22.28 kB 7.27 kB 6.56 kB
petite-vue-i18n.runtime.global.prod.js 16.71 kB 6.36 kB 5.76 kB
vue-i18n.esm-browser.prod.js 50.31 kB 15.06 kB 13.46 kB
vue-i18n.global.prod.js 40.36 kB 13.53 kB 12.18 kB
vue-i18n.runtime.esm-browser.prod.js 35.88 kB 11.06 kB 9.94 kB
vue-i18n.runtime.global.prod.js 27.35 kB 9.79 kB 8.85 kB

Usages

Name Size Gzip Brotli
packages/size-check-core (@intlify/core) 9.04 kB (-0.09 kB) 3.72 kB (-0.04 kB) 3.39 kB (-0.03 kB)
packages/size-check-petite-vue-i18n (petite-vue-i18n) 77.51 kB (-0.18 kB) 30.19 kB (-0.09 kB) 27.19 kB (-0.05 kB)
packages/size-check-vue-i18n (vue-i18n) 82.59 kB (-0.11 kB) 31.62 kB (-0.07 kB) 28.50 kB (+0.01 kB)

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 7b0e645 to f2c08bb Compare March 31, 2025 17:35
@renovate renovate bot changed the title chore(deps): update dependency vite to v6.1.2 [security] chore(deps): update dependency vite to v6.1.3 [security] Mar 31, 2025
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Mar 31, 2025
edited
Loading

Open in StackBlitz

@intlify/core

npm i https://pkg.pr.new/@intlify/core@2145

@intlify/core-base

npm i https://pkg.pr.new/@intlify/core-base@2145

@intlify/devtools-types

npm i https://pkg.pr.new/@intlify/devtools-types@2145

@intlify/message-compiler

npm i https://pkg.pr.new/@intlify/message-compiler@2145

petite-vue-i18n

npm i https://pkg.pr.new/petite-vue-i18n@2145

@intlify/shared

npm i https://pkg.pr.new/@intlify/shared@2145

vue-i18n

npm i https://pkg.pr.new/vue-i18n@2145

@intlify/vue-i18n-core

npm i https://pkg.pr.new/@intlify/vue-i18n-core@2145

commit: f6d0533

@renovate renovate bot merged commit 882a48e into master Mar 31, 2025
30 checks passed
@renovate renovate bot deleted the renovate/npm-vite-vulnerability branch March 31, 2025 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Type: Dependency Dependencies fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants