chore(deps): update dependency vite@<5.4.16 to v6 [security] #937

renovate · 2025-04-04T15:58:53Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite@<5.4.16 (source)	`^5.4.16` -> `^6.2.6`

GitHub Vulnerability Alerts

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..

Details

`.svg`

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@&#8203;fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

CVE-2025-32395

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

explicitly exposing the Vite dev server to the network (using --host or server.host config option)
running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@&#8203;fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

Release Notes

vitejs/vite (vite@<5.4.16)

fix: await client buildStart on top level buildStart (#19624) (b31faab), closes #19624
fix(css): inline css correctly for double quote use strict (#19590) (d0aa833), closes #19590
fix(deps): update all non-major dependencies (#19613) (363d691), closes #19613
fix(indexHtml): ensure correct URL when querying module graph (#19601) (dc5395a), closes #19601
fix(preview): use preview https config, not server (#19633) (98b3160), closes #19633
fix(ssr): use optional chaining to prevent "undefined is not an object" happening in `ssrRewriteStac (4309755), closes #19612
feat: show friendly error for malformed base (#19616) (2476391), closes #19616
feat(worker): show asset filename conflict warning (#19591) (367d968), closes #19591
chore: extend commit hash correctly when ambigious with a non-commit object (#19600) (89a6287), closes #19600

`v6.2.1`

Compare Source

refactor: remove isBuild check from preAliasPlugin (#19587) (c9e086d), closes #19587
refactor: restore endsWith usage (#19554) (6113a96), closes #19554
refactor: use applyToEnvironment in internal plugins (#19588) (f678442), closes #19588
fix(css): stabilize css module hashes with lightningcss in dev mode (#19481) (92125b4), closes #19481
fix(deps): update all non-major dependencies (#19555) (f612e0f), closes #19555
fix(reporter): fix incorrect bundle size calculation with non-ASCII characters (#19561) (437c0ed), closes #19561
fix(sourcemap): combine sourcemaps with multiple sources without matched source (#18971) (e3f6ae1), closes #18971
fix(ssr): named export should overwrite export all (#19534) (2fd2fc1), closes #19534
feat: add *?url&no-inline type and warning for .json?inline / .json?no-inline (#19566) (c0d3667), closes #19566
test: add glob import test case (#19516) (aa1d807), closes #19516
test: convert config playground to unit tests (#19568) (c0e68da), closes #19568
test: convert resolve-config playground to unit tests (#19567) (db5fb48), closes #19567
perf: flush compile cache after 10s (#19537) (6c8a5a2), closes #19537
chore(css): move environment destructuring after condition check (#19492) (c9eda23), closes #19492
chore(html): remove unnecessary value check (#19491) (797959f), closes #19491

`v6.2.0`

Compare Source

fix(deps): update all non-major dependencies (#19501) (c94c9e0), closes #19501
fix(worker): string interpolation in dynamic worker options (#19476) (07091a1), closes #19476
chore: use unicode cross icon instead of x (#19497) (5c70296), closes #19497

fix: ensure .[cm]?[tj]sx? static assets are JS mime (#19453) (e7ba55e), closes #19453
fix: ignore *.ipv4 address in cert (#19416) (973283b), closes #19416
fix(css): run rewrite plugin if postcss plugin exists (#19371) (bcdb51a), closes #19371
fix(deps): bump tsconfck (#19375) (746a583), closes #19375
fix(deps): update all non-major dependencies (#19392) (60456a5), closes #19392
fix(deps): update all non-major dependencies (#19440) (ccac73d), closes #19440
fix(html): ignore malformed src attrs (#19397) (aff7812), closes #19397
fix(worker): fix web worker type detection (#19462) (edc65ea), closes #19462
refactor: remove custom .jxl mime (#19457) (0c85464), closes #19457
feat: add support for injecting debug IDs (#18763) (0ff556a), closes #18763
chore: update 6.1.0 changelog (#19363) (fa7c211), closes #19363

`v6.1.0`

Compare Source

Features

feat: show hosts in cert in CLI (#19317) (a5e306f), closes #19317
feat: support for env var for defining allowed hosts (#19325) (4d88f6c), closes #19325
feat: use native runtime to import the config (#19178) (7c2a794), closes #19178
feat: print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0), closes #19212
perf(css): only run postcss when needed (#19061) (30194fa), closes #19061
feat: add support for .jxl (#18855) (57b397c), closes #18855
feat: add the builtins environment resolve (#18584) (2c2d521), closes #18584
feat: call Logger for plugin logs in build (#13757) (bf3e410), closes #13757
feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b), closes #19259
feat: expose createServerModuleRunnerTransport (#18730) (8c24ee4), closes #18730
feat: support async for proxy.bypass (#18940) (a6b9587), closes #18940
feat: support log related functions in dev (#18922) (3766004), closes #18922
feat: use module runner to import the config (#18637) (b7e0e42), closes #18637
feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985), closes #19072
feat(optimizer): support bun text lockfile (#18403) (05b005f), closes #18403
feat(reporter): add wasm to the compressible assets regex (#19085) (ce84142), closes #19085
feat(worker): support dynamic worker option fields (#19010) (d0c3523), closes #19010

Fixes

fix: avoid builtStart during vite optimize (#19356) (fdb36e0), closes #19356
fix(build): fix stale build manifest on watch rebuild (#19361) (fcd5785), closes #19361
fix: allow expanding env vars in reverse order (#19352) (3f5f2bd), closes #19352
fix: avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf), closes #19324
fix(html): fix css disorder when building multiple entry html (#19143) (e7b4ba3), closes #19143
fix: don't call buildStart hooks for vite optimize (#19347) (19ffad0), closes #19347
fix: don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d), closes #19318
fix: respect top-level server.preTransformRequests (#19272) (12aaa58), closes #19272
fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6), closes #19313
fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373), closes #19268 #19269
fix(deps): update all non-major dependencies (#19296) (2bea7ce), closes #19296
fix(resolve): preserve hash/search of file url (#19300) (d1e1b24), closes #19300
fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b), closes #19312
fix(ssr): fix transform error due to export all id scope (#19331) (e28bce2), closes #19331
fix(ssr): pretty print plugin error in ssrLoadModule (#19290) (353c467), closes #19290
fix: change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3), closes #19210
fix: correctly resolve hmr dep ids and fallback to url (#18840) (b84498b), closes #18840
fix: make --force work for all environments (#18901) (51a42c6), closes #18901
fix: use loc.file from rollup errors if available (#19222) (ce3fe23), closes #19222
fix(deps): update all non-major dependencies (#19190) (f2c07db), closes #19190
fix(hmr): register inlined assets as a dependency of CSS file (#18979) (eb22a74), closes #18979
fix(resolve): support resolving TS files by JS extension specifiers in JS files (#18889) (612332b), closes #18889
fix(ssr): combine empty source mappings (#19226) (ba03da2), closes #19226
fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #1 (56ad2be), closes #19245 #18875 #19247

Chore

refactor: deprecate vite optimize command (#19348) (6e0e3c0), closes #19348
chore: update deprecate links domain (#19353) (2b2299c), closes #19353
docs: rephrase browser range and features relation (#19286) (97569ef), closes #19286
docs: update build.manifest jsdocs (#19332) (4583781), closes #19332
chore: remove outdated code comment about scanImports not being used in ssr (#19285) (fbbc6da), closes #19285
chore: unneeded name in lockfileFormats (#19275) (96092cb), closes #19275
chore(deps): update dependency strip-literal to v3 (#19231) (1172d65), closes #19231

Beta Changelogs

fix: preview.allowedHosts with specific values was not respected (#19246) (aeb3ec8), closes #19246
fix: allow CORS from loopback addresses by default (#19249) (3d03899), closes #19249

`v6.0.10`

Compare Source

fix: try parse server.origin URL (#19241) (2495022), closes #19241

`v6.0.9`

Compare Source

fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (bd896fb)
fix!: default server.cors: false to disallow fetching from untrusted origins (b09572a)
fix: verify token for HMR WebSocket connection (029dcd6)

`v6.0.8`

Compare Source

fix: avoid SSR HMR for HTML files (#19193) (3bd55bc), closes #19193
fix: build time display 7m 60s (#19108) (cf0d2c8), closes #19108
fix: don't resolve URL starting with double slash (#19059) (35942cd), closes #19059
fix: ensure server.close() only called once (#19204) (db81c2d), closes #19204
fix: resolve.conditions in ResolvedConfig was defaultServerConditions (#19174) (ad75c56), closes #19174
fix: tree shake stringified JSON imports (#19189) (f2aed62), closes #19189
fix: use shared sigterm callback (#19203) (47039f4), closes #19203
fix(deps): update all non-major dependencies (#19098) (8639538), closes #19098
fix(optimizer): use correct default install state path for yarn PnP (#19119) (e690d8b), closes #19119
fix(types): improve ESBuildOptions.include / exclude type to allow readonly (string | RegExp)[] (ea53e70), closes #19146
chore(deps): update dependency pathe to v2 (#19139) (71506f0), closes #19139

`v6.0.7`

Compare Source

fix: fix minify when builder.sharedPlugins: true (#19025) (f7b1964), closes #19025
fix: skip the plugin if it has been called before with the same id and importer (#19016) (b178c90), closes #19016
fix(html): error while removing vite-ignore attribute for inline script (#19062) (a492253), closes #19062
fix(ssr): fix semicolon injection by ssr transform (#19097) (1c102d5), closes #19097
perf: skip globbing for static path in warmup (#19107) (677508b), closes #19107
feat(css): show lightningcss warnings (#19076) (b07c036), closes #19076

`v6.0.6`

Compare Source

fix: replace runner-side path normalization with fetchModule-side resolve (#18361) (9f10261), closes #18361
fix(css): resolve style tags in HTML files correctly for lightningcss (#19001) (afff05c), closes #19001
fix(css): show correct error when unknown placeholder is used for CSS modules pattern in lightningcs (9290d85), closes #19070
fix(resolve): handle package.json with UTF-8 BOM (#19000) (902567a), closes #19000
fix(ssrTransform): preserve line offset when transforming imports (#19004) (1aa434e), closes #19004
chore: fix typo in comment (#19067) (eb06ec3), closes #19067
chore: update comment about build.target (#19047) (0e9e81f), closes #19047
revert: unpin esbuild version (#19043) (8bfe247), closes #19043
test(ssr): test virtual module with query (#19044) (a1f4b46), closes #19044

`v6.0.5`

Compare Source

fix: esbuild regression (pin to 0.24.0) (#19027) (4359e0d), closes #19027

`v6.0.4`

Compare Source

fix: this.resolve skipSelf should not skip for different id or import (#18903) (4727320), closes #18903
fix: fallback terser to main thread when function options are used (#18987) (12b612d), closes #18987
fix: merge client and ssr values for pluginContainer.getModuleInfo (#18895) (258cdd6), closes #18895
fix(css): escape double quotes in url() when lightningcss is used (#18997) (3734f80), closes #18997
fix(css): root relative import in sass modern API on Windows (#18945) (c4b532c), closes #18945
fix(css): skip non css in custom sass importer (#18970) (21680bd), closes #18970
fix(deps): update all non-major dependencies (#18967) (d88d000), closes #18967
fix(deps): update all non-major dependencies (#18996) (2b4f115), closes #18996
fix(optimizer): keep NODE_ENV as-is when keepProcessEnv is true (#18899) (8a6bb4e), closes #18899
fix(ssr): recreate ssrCompatModuleRunner on restart (#18973) (7d6dd5d), closes #18973
chore: better validation error message for dts build (#18948) (63b82f1), closes #18948
chore(deps): update all non-major dependencies (#18916) (ef7a6a3), closes #18916
chore(deps): update dependency @rollup/plugin-node-resolve to v16 (#18968) (62fad6d), closes #18968
refactor: make internal invoke event to use the same interface with handleInvoke (#18902) (27f691b), closes #18902
refactor: simplify manifest plugin code (#18890) (1bfe21b), closes #18890
test: test ModuleRunnerTransport invoke API (#18865) (e5f5301), closes #18865
test: test output hash changes (#18898) (bfbb130), closes #18898

`v6.0.3`

Compare Source

fix: handle postcss load unhandled rejections (#18886) (d5fb653), closes #18886
fix: make handleInvoke interface compatible with invoke (#18876) (a1dd396), closes #18876
fix: make result interfaces for ModuleRunnerTransport#invoke more explicit (#18851) (a75fc31), closes #18851
fix: merge environments.ssr.resolve with root ssr config (#18857) (3104331), closes #18857
fix: no permission to create vite config file (#18844) (ff47778), closes #18844
fix: remove CSS import in CJS correctly in some cases (#18885) (690a36f), closes #18885
fix(config): bundle files referenced with imports field (#18887) (2b5926a), closes #18887
fix(config): make stacktrace path correct when sourcemap is enabled (#18833) (20fdf21), closes #18833
fix(css): rewrite url when image-set and url exist at the same time (#18868) (d59efd8), closes #18868
fix(deps): update all non-major dependencies (#18853) (5c02236), closes #18853
fix(html): allow unexpected question mark in tag name (#18852) (1b54e50), closes #18852
fix(module-runner): decode uri for file url passed to import (#18837) (88e49aa), closes #18837
refactor: fix logic errors found by no-unnecessary-condition rule (#18891) (ea802f8), closes #18891
chore: fix duplicate attributes issue number in comment (#18860) (ffee618), closes #18860

`v6.0.2`

Compare Source

chore: run typecheck in unit tests (#18858) (49f20bb), closes #18858
chore: update broken links in changelog (#18802) (cb754f8), closes #18802
chore: update broken links in changelog (#18804) (47ec49f), closes #18804
fix: don't store temporary vite config file in node_modules if deno (#18823) (a20267b), closes #18823
fix(css): referencing aliased svg asset with lightningcss enabled errored (#18819) (ae68958), closes [#18819](https://redirect.github.com/vitejs/vite/issu

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

chore(deps): update dependency vite@<5.4.16 to v6 [security]

f06eae6

renovate bot force-pushed the renovate/npm-vite<5.4.16-vulnerability branch from 1aeb8ff to f06eae6 Compare April 11, 2025 15:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency vite@<5.4.16 to v6 [security] #937

chore(deps): update dependency vite@<5.4.16 to v6 [security] #937

renovate bot commented Apr 4, 2025 •

edited

Loading

chore(deps): update dependency vite@&lt;5.4.16 to v6 [security] #937

Are you sure you want to change the base?

chore(deps): update dependency vite@&lt;5.4.16 to v6 [security] #937

Conversation

renovate bot commented Apr 4, 2025 • edited Loading

GitHub Vulnerability Alerts

Summary

Impact

Details

.svg

relative paths

PoC

Summary

Impact

Details

PoC

Release Notes

Features

Fixes

Chore

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

6.1.0-beta.1 (2025-02-04)

6.1.0-beta.0 (2025-01-24)

Configuration

chore(deps): update dependency vite@<5.4.16 to v6 [security] #937

chore(deps): update dependency vite@<5.4.16 to v6 [security] #937

renovate bot commented Apr 4, 2025 •

edited

Loading

`.svg`