Skip to content

🚨 [security] [js] Update vite 5.4.14 → 5.4.19 (patch) #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

🚨 [security] [js] Update vite 5.4.14 → 5.4.19 (patch) #225

wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Apr 30, 2025

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ vite (5.4.14 → 5.4.19) · Repo · Changelog

Security Advisories 🚨

🚨 Vite's server.fs.deny bypassed with /. for files under project root

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

  • Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
  • Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

image
image

🚨 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

  • explicitly exposing the Vite dev server to the network (using --host or server.host config option)
  • running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

🚨 Vite allows server.fs.deny to be bypassed with .svg or relative paths

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

.svg

Requests ending with .svg are loaded at this line.

    <tbody>

    <tr class="border-0">
      <td id="L286" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="286"></td>
      <td id="LC286" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">const</span> <span class="pl-s1">file</span> <span class="pl-c1">=</span> <span class="pl-s1">publicFile</span> <span class="pl-c1">||</span> <span class="pl-en">cleanUrl</span><span class="pl-kos">(</span><span class="pl-s1">id</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L287" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="287"></td>
      <td id="LC287" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">const</span> <span class="pl-s1">content</span> <span class="pl-c1">=</span> <span class="pl-k">await</span> <span class="pl-s1">fsp</span><span class="pl-kos">.</span><span class="pl-en">readFile</span><span class="pl-kos">(</span><span class="pl-s1">file</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L288" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="288"></td>
      <td id="LC288" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-en">shouldInline</span><span class="pl-kos">(</span><span class="pl-s1">environment</span><span class="pl-kos">,</span> <span class="pl-s1">file</span><span class="pl-kos">,</span> <span class="pl-s1">id</span><span class="pl-kos">,</span> <span class="pl-s1">content</span><span class="pl-kos">,</span> <span class="pl-c1">undefined</span><span class="pl-kos">,</span> <span class="pl-c1">undefined</span><span class="pl-kos">)</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L289" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="289"></td>
      <td id="LC289" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">     <span class="pl-k">return</span> <span class="pl-en">assetToDataURL</span><span class="pl-kos">(</span><span class="pl-s1">environment</span><span class="pl-kos">,</span> <span class="pl-s1">file</span><span class="pl-kos">,</span> <span class="pl-s1">content</span><span class="pl-kos">)</span> </td>
    </tr>

    <tr class="border-0">
      <td id="L290" class="blob-num border-0 px-3 py-0 color-bg-default" data-line-number="290"></td>
      <td id="LC290" class="blob-code border-0 px-3 py-0 color-bg-default blob-code-inner js-file-line">   <span class="pl-kos">}</span> </td>
    </tr>
</tbody>
if (svgExtRE.test(id)) {

By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl 'http://127.0.0.1:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

🚨 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

  • base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
  • content of non-allowed files is exposed using ?raw?import

/@fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init

🚨 Vite bypasses server.fs.deny when using ?raw??

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt


# expected behaviour

$ curl "http://localhost:5173/@fs/tmp/secret.txt"


<span class="pl-k">&lt;</span>body<span class="pl-k">&gt;</span>
  <span class="pl-k">&lt;</span>h<span class="pl-k">1&gt;</span>403 Restricted<span class="pl-k">&lt;</span>/h<span class="pl-k">1&gt;</span>
  <span class="pl-k">&lt;</span>p<span class="pl-k">&gt;</span>The request url <span class="pl-k">&amp;</span>quot<span class="pl-k">;</span>/tmp/secret.txt<span class="pl-k">&amp;</span>quot<span class="pl-k">;</span> is outside of Vite serving allow list.



# security bypassed

$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&amp;raw??"

export default "top secret content\n"

//# sourceMappingURL=data:application/json;base64,eyJ2...

Release Notes

5.4.19

Please refer to CHANGELOG.md for details.

5.4.18

Please refer to CHANGELOG.md for details.

5.4.17

Please refer to CHANGELOG.md for details.

5.4.16

Please refer to CHANGELOG.md for details.

5.4.15

Please refer to CHANGELOG.md for details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Apr 30, 2025
@depfu depfu bot mentioned this pull request Apr 30, 2025
Closed
@depfu Depfu
Copy link
Contributor Author

depfu bot commented Sep 9, 2025

Closed in favor of #242.

@depfu depfu bot closed this Sep 9, 2025
@depfu depfu bot deleted the depfu/update/pnpm/vite-5.4.19 branch September 9, 2025 22:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants