Update dependency vite to v6.2.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.2.0 -> 6.2.4

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

• base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
• content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

---

Release Notes

vitejs/vite (vite)

v6.2.4

Compare Source

Please refer to CHANGELOG.md for details.

v6.2.3

Compare Source

Please refer to CHANGELOG.md for details.

v6.2.2

Compare Source

• fix: await client buildStart on top level buildStart (#​19624) (b31faab), closes #​19624
• fix(css): inline css correctly for double quote use strict (#​19590) (d0aa833), closes #​19590
• fix(deps): update all non-major dependencies (#​19613) (363d691), closes #​19613
• fix(indexHtml): ensure correct URL when querying module graph (#​19601) (dc5395a), closes #​19601
• fix(preview): use preview https config, not server (#​19633) (98b3160), closes #​19633
• fix(ssr): use optional chaining to prevent "undefined is not an object" happening in `ssrRewriteStac (4309755), closes #​19612
• feat: show friendly error for malformed base (#​19616) (2476391), closes #​19616
• feat(worker): show asset filename conflict warning (#​19591) (367d968), closes #​19591
• chore: extend commit hash correctly when ambigious with a non-commit object (#​19600) (89a6287), closes #​19600

v6.2.1

Compare Source

• refactor: remove isBuild check from preAliasPlugin (#​19587) (c9e086d), closes #​19587
• refactor: restore endsWith usage (#​19554) (6113a96), closes #​19554
• refactor: use applyToEnvironment in internal plugins (#​19588) (f678442), closes #​19588
• fix(css): stabilize css module hashes with lightningcss in dev mode (#​19481) (92125b4), closes #​19481
• fix(deps): update all non-major dependencies (#​19555) (f612e0f), closes #​19555
• fix(reporter): fix incorrect bundle size calculation with non-ASCII characters (#​19561) (437c0ed), closes #​19561
• fix(sourcemap): combine sourcemaps with multiple sources without matched source (#​18971) (e3f6ae1), closes #​18971
• fix(ssr): named export should overwrite export all (#​19534) (2fd2fc1), closes #​19534
• feat: add *?url&no-inline type and warning for .json?inline / .json?no-inline (#​19566) (c0d3667), closes #​19566
• test: add glob import test case (#​19516) (aa1d807), closes #​19516
• test: convert config playground to unit tests (#​19568) (c0e68da), closes #​19568
• test: convert resolve-config playground to unit tests (#​19567) (db5fb48), closes #​19567
• perf: flush compile cache after 10s (#​19537) (6c8a5a2), closes #​19537
• chore(css): move environment destructuring after condition check (#​19492) (c9eda23), closes #​19492
• chore(html): remove unnecessary value check (#​19491) (797959f), closes #​19491

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	12.68%	1304 / 10276
🔵	Statements	12.68%	1304 / 10276
🔵	Functions	25.12%	103 / 410
🔵	Branches	54.06%	206 / 381

File Coverage

No changed files found.

Generated in workflow #696 for commit 933eac2 by the Vitest Coverage Report Action

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud