chore: [security] bump vite from 6.2.2 to 6.2.4 #429

Closed

martinr92 wants to merge 1 commit from dependabot-npm_and_yarn-develop-vite-6.2.4 into develop

pull from: dependabot-npm_and_yarn-develop-vite-6.2.4

merge into: marty-media:develop

marty-media:main

marty-media:renovate/vue-3.x-lockfile

marty-media:renovate/https-github.com-sonarsource-sonarqube-scan-action-8.x

marty-media:renovate/vue-tsc-3.x-lockfile

marty-media:renovate/eslint-plugin-vue-10.x-lockfile

marty-media:renovate/github.com-jackc-pgx-v5-5.x

marty-media:renovate/vue-router-5.x-lockfile

marty-media:renovate/lucide-vue-1.x-lockfile

marty-media:renovate/vite-8.x-lockfile

marty-media:renovate/eslint-10.x-lockfile

marty-media:develop

marty-media:feature/plugins

marty-media:beta

marty-media:dependabot-npm_and_yarn-develop-eslint-9.33.0

Conversation 4 Commits 1 Files changed 2 +8 -8

martinr92 commented 2025-04-01 02:58:01 +00:00 (Migrated from gitlab.com)

Copy link

Bumps vite from 6.2.2 to 6.2.4. This update includes security fixes.

Vulnerabilities fixed

Vite has a server.fs.deny bypassed for inline and raw with ?import query

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

• base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
• content of non-allowed files is exposed using ?raw?import

/@fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

</tr></table> 

... (truncated)

Patched versions: 4.5.11; 5.4.16; 6.0.13; 6.1.3; 6.2.4 Affected versions: = 6.2.0, < 6.2.4

Vite bypasses server.fs.deny when using ?raw??

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
$ echo "top secret content" > /tmp/secret.txt
expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

</tr></table>

... (truncated)

Patched versions: 4.5.10; 5.4.15; 6.0.12; 6.1.2; 6.2.3 Affected versions: = 6.2.0, < 6.2.3

Changelog

Sourced from vite's changelog.

6.2.4 (2025-03-31)

• fix: fs check in transform middleware (#19761) (7a4faba), closes #19761

6.2.3 (2025-03-24)

• fix: fs raw query with query separators (#19702) (f234b57), closes #19702

Commits

• 037f801 release: v6.2.4
• 7a4faba fix: fs check in transform middleware (#19761)
• 16869d7 release: v6.2.3
• f234b57 fix: fs raw query with query separators (#19702)
• See full diff in compare view

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.2.2 to 6.2.4. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Vite has a <code>server.fs.deny</code> bypassed for <code>inline</code> and <code>raw</code> with <code>?import</code> query</strong></p> <h3>Summary</h3> <p>The contents of arbitrary files can be returned to the browser.</p> <h3>Impact</h3> <p>Only apps explicitly exposing the Vite dev server to the network (using <code>--host</code> or <a href="https://vitejs.dev/config/server-options.html#server-host"><code>server.host</code> config option</a>) are affected.</p> <h3>Details</h3> <ul> <li>base64 encoded content of non-allowed files is exposed using <code>?inline&amp;import</code> (originally reported as <code>?import&amp;?inline=1.wasm?init</code>)</li> <li>content of non-allowed files is exposed using <code>?raw?import</code></li> </ul> <p><code>/@fs/</code> isn't needed to reproduce the issue for files inside the project root.</p> <h3>PoC</h3> <p>Original report (check details above for simplified cases):</p> <p>The ?import&amp;?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice</p> <pre><code>&lt;/tr&gt;&lt;/table&gt; </code></pre> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 4.5.11; 5.4.16; 6.0.13; 6.1.3; 6.2.4 Affected versions: <!-- raw HTML omitted -->= 6.2.0, &lt; 6.2.4</p> </blockquote> <blockquote> <p><strong>Vite bypasses server.fs.deny when using ?raw??</strong></p> <h3>Summary</h3> <p>The contents of arbitrary files can be returned to the browser.</p> <h3>Impact</h3> <p>Only apps explicitly exposing the Vite dev server to the network (using <code>--host</code> or <a href="https://vitejs.dev/config/server-options.html#server-host"><code>server.host</code> config option</a>) are affected.</p> <h3>Details</h3> <p><code>@fs</code> denies access to files outside of Vite serving allow list. Adding <code>?raw??</code> or <code>?import&amp;raw??</code> to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as <code>?</code> are removed in several places, but are not accounted for in query string regexes.</p> <h3>PoC</h3> <pre lang="bash"><code>$ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev <p>$ echo &quot;top secret content&quot; &gt; /tmp/secret.txt</p> <h1>expected behaviour</h1> <p>$ curl &quot;<a href="http://localhost:5173/@fs/tmp/secret.txt">http://localhost:5173/<code>@​fs/tmp/</code>secret.txt</a>&quot;<br /> &lt;/tr&gt;&lt;/table&gt;<br /> </code></pre></p> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 4.5.10; 5.4.15; 6.0.12; 6.1.2; 6.2.3 Affected versions: <!-- raw HTML omitted -->= 6.2.0, &lt; 6.2.3</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/v6.2.4/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted -->6.2.4 (2025-03-31)<!-- raw HTML omitted --></h2> <ul> <li>fix: fs check in transform middleware (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19761">#19761</a>) (<a href="https://github.com/vitejs/vite/commit/7a4fabab6a3aa24c89144e15a13d78f92b52e588">7a4faba</a>), closes <a href="https://github.com/vitejs/vite/issues/19761">#19761</a></li> </ul> <h2><!-- raw HTML omitted -->6.2.3 (2025-03-24)<!-- raw HTML omitted --></h2> <ul> <li>fix: fs raw query with query separators (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19702">#19702</a>) (<a href="https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1">f234b57</a>), closes <a href="https://github.com/vitejs/vite/issues/19702">#19702</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitejs/vite/commit/037f801075ec35bb6e52145d659f71a23813c48f"><code>037f801</code></a> release: v6.2.4</li> <li><a href="https://github.com/vitejs/vite/commit/7a4fabab6a3aa24c89144e15a13d78f92b52e588"><code>7a4faba</code></a> fix: fs check in transform middleware (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19761">#19761</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/16869d7c9917eb58d9a0101e30064ab65e64fa91"><code>16869d7</code></a> release: v6.2.3</li> <li><a href="https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1"><code>f234b57</code></a> fix: fs raw query with query separators (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19702">#19702</a>)</li> <li>See full diff in <a href="https://github.com/vitejs/vite/commits/v6.2.4/packages/vite">compare view</a></li> </ul> </details> <br />

martinr92 commented 2025-04-01 02:58:01 +00:00 (Migrated from gitlab.com)

Copy link

assigned to @martinr92

assigned to @martinr92

martinr92 commented 2025-04-01 02:58:08 +00:00 (Migrated from gitlab.com)

Copy link

mentioned in merge request !397

mentioned in merge request !397

martinr92 commented 2025-04-01 03:02:49 +00:00 (Migrated from gitlab.com)

Copy link

SonarQube Cloud Code Analysis

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

## SonarQube Cloud Code Analysis ## Quality Gate passed Issues  [0 New issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=405&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true)  [0 Accepted issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=405&issueStatuses=ACCEPTED) Measures  [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=marty-media_server&pullRequest=405&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true)  [0.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=405&metric=new_coverage&view=list)  [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=405&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarQube Cloud](https://sonarcloud.io/dashboard?id=marty-media_server&pullRequest=405)

martinr92 commented 2025-04-05 02:58:28 +00:00 (Migrated from gitlab.com)

Copy link

This merge request has been superseded by !415+

This merge request has been superseded by !415+

martinr92 (Migrated from gitlab.com) closed this pull request 2025-04-05 02:58:28 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

  

confirmed

  

critical

  

dependencies

Pull requests that update a dependency file

  

discussion

  

docker

  

documentation

  

enhancement

  

go

  

javascript

  

security

Pull requests that address a security vulnerability

  

severity:high

  

severity:low

  

severity:moderate

  

suggestion

  

support

No labels

bug

confirmed

critical

dependencies

discussion

docker

documentation

enhancement

go

javascript

security

severity:high

severity:low

severity:moderate

suggestion

support

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

marty-media/server!429

No description provided.