marty-media/server
1
0
Fork 0
Code Issues 9 Pull requests 10 Projects Releases 75 Packages Wiki Activity Actions

chore: [security] bump vite from 6.2.2 to 6.2.6 #442

Merged
martinr92 merged 1 commit from dependabot-npm_and_yarn-develop-vite-6.2.6 into develop 2025-04-19 12:29:52 +00:00
Conversation 6 Commits 1 Files changed 2 +8 -8
martinr92 commented 2025-04-12 02:58:19 +00:00 (Migrated from gitlab.com)
Copy link

Bumps vite from 6.2.2 to 6.2.6. This update includes security fixes.

Vulnerabilities fixed

Vite has an server.fs.deny bypass with an invalid request-target

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

  • explicitly exposing the Vite dev server to the network (using --host or server.host config option)
  • running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
</tr></table>

... (truncated)

Patched versions: 4.5.13; 5.4.18; 6.0.15; 6.1.5; 6.2.6 Affected versions: = 6.2.0, < 6.2.6

Vite allows server.fs.deny to be bypassed with .svg or relative paths

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..

Details

.svg

Requests ending with .svg are loaded at this line. https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

... (truncated)

Patched versions: 4.5.12; 5.4.17; 6.0.14; 6.1.4; 6.2.5 Affected versions: = 6.2.0, < 6.2.5

Vite has a server.fs.deny bypassed for inline and raw with ?import query

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

  • base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
  • content of non-allowed files is exposed using ?raw?import

/@fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

</tr></table>

... (truncated)

Patched versions: 4.5.11; 5.4.16; 6.0.13; 6.1.3; 6.2.4 Affected versions: = 6.2.0, < 6.2.4

Vite bypasses server.fs.deny when using ?raw??

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt


expected behaviour


$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

</tr></table>

... (truncated)

Patched versions: 4.5.10; 5.4.15; 6.0.12; 6.1.2; 6.2.3 Affected versions: = 6.2.0, < 6.2.3

Changelog

Sourced from vite's changelog.

6.2.6 (2025-04-10)

6.2.5 (2025-04-03)

6.2.4 (2025-03-31)

6.2.3 (2025-03-24)

Commits

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.2.2 to 6.2.6. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Vite has an <code>server.fs.deny</code> bypass with an invalid <code>request-target</code></strong></p> <h3>Summary</h3> <p>The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.</p> <h3>Impact</h3> <p>Only apps with the following conditions are affected.</p> <ul> <li>explicitly exposing the Vite dev server to the network (using --host or <a href="https://vitejs.dev/config/server-options.html#server-host">server.host config option</a>)</li> <li>running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)</li> </ul> <h3>Details</h3> <p><a href="https://datatracker.ietf.org/doc/html/rfc9112#section-3.2">HTTP 1.1 spec (RFC 9112) does not allow <code>#</code> in <code>request-target</code></a>. Although an attacker can send such a request. For those requests with an invalid <code>request-line</code> (it includes <code>request-target</code>), the spec <a href="https://datatracker.ietf.org/doc/html/rfc9112#section-3.2-4">recommends to reject them with 400 or 301</a>. The same can be said for HTTP 2 (<a href="https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-2.4.1">ref1</a>, <a href="https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-3">ref2</a>, <a href="https://datatracker.ietf.org/doc/html/rfc9113#section-8.1.1-3">ref3</a>).</p> <p>On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of <a href="https://nodejs.org/docs/latest-v22.x/api/http.html#messageurl"><code>http.IncomingMessage.url</code></a> contains <code>#</code>. Vite assumed <code>req.url</code> won't contain <code>#</code> when checking <code>server.fs.deny</code>, allowing those kinds of requests to bypass the check.</p> <p>On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of <code>http.IncomingMessage.url</code> did not contain <code>#</code>.</p> <h3>PoC</h3> <pre><code>npm create vite@latest &lt;/tr&gt;&lt;/table&gt; </code></pre> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 4.5.13; 5.4.18; 6.0.15; 6.1.5; 6.2.6 Affected versions: <!-- raw HTML omitted -->= 6.2.0, &lt; 6.2.6</p> </blockquote> <blockquote> <p><strong>Vite allows server.fs.deny to be bypassed with .svg or relative paths</strong></p> <h3>Summary</h3> <p>The contents of arbitrary files can be returned to the browser.</p> <h3>Impact</h3> <p>Only apps explicitly exposing the Vite dev server to the network (using --host or <a href="https://vitejs.dev/config/server-options.html#server-host">server.host config option</a>) are affected..</p> <h3>Details</h3> <h4><code>.svg</code></h4> <p>Requests ending with <code>.svg</code> are loaded at this line. <a href="https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290">https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290</a> By adding <code>?.svg</code> with <code>?.wasm?init</code> or with <code>sec-fetch-dest: script</code> header, the restriction was able to bypass.</p> <p>This bypass is only possible if the file is smaller than <a href="https://vite.dev/config/build-options.html#build-assetsinlinelimit"><code>build.assetsInlineLimit</code></a> (default: 4kB) and when using Vite 6.0+.</p> <h4>relative paths</h4> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 4.5.12; 5.4.17; 6.0.14; 6.1.4; 6.2.5 Affected versions: <!-- raw HTML omitted -->= 6.2.0, &lt; 6.2.5</p> </blockquote> <blockquote> <p><strong>Vite has a <code>server.fs.deny</code> bypassed for <code>inline</code> and <code>raw</code> with <code>?import</code> query</strong></p> <h3>Summary</h3> <p>The contents of arbitrary files can be returned to the browser.</p> <h3>Impact</h3> <p>Only apps explicitly exposing the Vite dev server to the network (using <code>--host</code> or <a href="https://vitejs.dev/config/server-options.html#server-host"><code>server.host</code> config option</a>) are affected.</p> <h3>Details</h3> <ul> <li>base64 encoded content of non-allowed files is exposed using <code>?inline&amp;import</code> (originally reported as <code>?import&amp;?inline=1.wasm?init</code>)</li> <li>content of non-allowed files is exposed using <code>?raw?import</code></li> </ul> <p><code>/@fs/</code> isn't needed to reproduce the issue for files inside the project root.</p> <h3>PoC</h3> <p>Original report (check details above for simplified cases):</p> <p>The ?import&amp;?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice</p> <pre><code>&lt;/tr&gt;&lt;/table&gt; </code></pre> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 4.5.11; 5.4.16; 6.0.13; 6.1.3; 6.2.4 Affected versions: <!-- raw HTML omitted -->= 6.2.0, &lt; 6.2.4</p> </blockquote> <blockquote> <p><strong>Vite bypasses server.fs.deny when using ?raw??</strong></p> <h3>Summary</h3> <p>The contents of arbitrary files can be returned to the browser.</p> <h3>Impact</h3> <p>Only apps explicitly exposing the Vite dev server to the network (using <code>--host</code> or <a href="https://vitejs.dev/config/server-options.html#server-host"><code>server.host</code> config option</a>) are affected.</p> <h3>Details</h3> <p><code>@fs</code> denies access to files outside of Vite serving allow list. Adding <code>?raw??</code> or <code>?import&amp;raw??</code> to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as <code>?</code> are removed in several places, but are not accounted for in query string regexes.</p> <h3>PoC</h3> <pre lang="bash"><code>$ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev <p>$ echo &quot;top secret content&quot; &gt; /tmp/secret.txt</p> <h1>expected behaviour</h1> <p>$ curl &quot;<a href="http://localhost:5173/@fs/tmp/secret.txt">http://localhost:5173/<code>@​fs/tmp/</code>secret.txt</a>&quot;<br /> &lt;/tr&gt;&lt;/table&gt;<br /> </code></pre></p> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 4.5.10; 5.4.15; 6.0.12; 6.1.2; 6.2.3 Affected versions: <!-- raw HTML omitted -->= 6.2.0, &lt; 6.2.3</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/v6.2.6/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted -->6.2.6 (2025-04-10)<!-- raw HTML omitted --></h2> <ul> <li>fix: reject requests with <code>#</code> in request-target (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19830">#19830</a>) (<a href="https://github.com/vitejs/vite/commit/3bb0883d22d59cfd901ff18f338e8b4bf11395f7">3bb0883</a>), closes <a href="https://github.com/vitejs/vite/issues/19830">#19830</a></li> </ul> <h2><!-- raw HTML omitted -->6.2.5 (2025-04-03)<!-- raw HTML omitted --></h2> <ul> <li>fix: backport <a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19782">#19782</a>, fs check with svg and relative paths (<a href="https://github.com/vitejs/vite/commit/fdb196e9f8672dba32cf5156c81665c7e82ac581">fdb196e</a>), closes <a href="https://github.com/vitejs/vite/issues/19782">#19782</a></li> </ul> <h2><!-- raw HTML omitted -->6.2.4 (2025-03-31)<!-- raw HTML omitted --></h2> <ul> <li>fix: fs check in transform middleware (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19761">#19761</a>) (<a href="https://github.com/vitejs/vite/commit/7a4fabab6a3aa24c89144e15a13d78f92b52e588">7a4faba</a>), closes <a href="https://github.com/vitejs/vite/issues/19761">#19761</a></li> </ul> <h2><!-- raw HTML omitted -->6.2.3 (2025-03-24)<!-- raw HTML omitted --></h2> <ul> <li>fix: fs raw query with query separators (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19702">#19702</a>) (<a href="https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1">f234b57</a>), closes <a href="https://github.com/vitejs/vite/issues/19702">#19702</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitejs/vite/commit/d3dbf25fd5e21448f9ea6cec8fb5ac45d220037b"><code>d3dbf25</code></a> release: v6.2.6</li> <li><a href="https://github.com/vitejs/vite/commit/3bb0883d22d59cfd901ff18f338e8b4bf11395f7"><code>3bb0883</code></a> fix: reject requests with <code>#</code> in request-target (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19830">#19830</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/c176acf70a113c33c33cb24b63ab7260e713d4b2"><code>c176acf</code></a> release: v6.2.5</li> <li><a href="https://github.com/vitejs/vite/commit/fdb196e9f8672dba32cf5156c81665c7e82ac581"><code>fdb196e</code></a> fix: backport <a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19782">#19782</a>, fs check with svg and relative paths</li> <li><a href="https://github.com/vitejs/vite/commit/037f801075ec35bb6e52145d659f71a23813c48f"><code>037f801</code></a> release: v6.2.4</li> <li><a href="https://github.com/vitejs/vite/commit/7a4fabab6a3aa24c89144e15a13d78f92b52e588"><code>7a4faba</code></a> fix: fs check in transform middleware (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19761">#19761</a>)</li> <li><a href="https://github.com/vitejs/vite/commit/16869d7c9917eb58d9a0101e30064ab65e64fa91"><code>16869d7</code></a> release: v6.2.3</li> <li><a href="https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1"><code>f234b57</code></a> fix: fs raw query with query separators (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19702">#19702</a>)</li> <li>See full diff in <a href="https://github.com/vitejs/vite/commits/v6.2.6/packages/vite">compare view</a></li> </ul> </details> <br />
martinr92 commented 2025-04-12 02:58:20 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @martinr92

assigned to @martinr92
martinr92 commented 2025-04-12 02:58:24 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in merge request !415

mentioned in merge request !415
martinr92 commented 2025-04-19 12:25:15 +00:00 (Migrated from gitlab.com)
Copy link

added 5 commits

  • bf173eec...963eb613 - 4 commits from branch develop
  • d9607113 - chore: [security] bump vite from 6.2.2 to 6.2.6

Compare with previous version

added 5 commits <ul><li>bf173eec...963eb613 - 4 commits from branch <code>develop</code></li><li>d9607113 - chore: [security] bump vite from 6.2.2 to 6.2.6</li></ul> [Compare with previous version](/marty-media/server/-/merge_requests/418/diffs?diff_id=1332854608&start_sha=bf173eec58846469ac0593e15cefcd0b003b7c0b)
martinr92 (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2025-04-19 12:25:53 +00:00
martinr92 commented 2025-04-19 12:28:56 +00:00 (Migrated from gitlab.com)
Copy link

SonarQube Cloud Code Analysis

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

## SonarQube Cloud Code Analysis ## Quality Gate passed Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 New issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=418&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted.svg '') [0 Accepted issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=418&issueStatuses=ACCEPTED) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=marty-media_server&pullRequest=418&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=418&metric=new_coverage&view=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=418&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarQube Cloud](https://sonarcloud.io/dashboard?id=marty-media_server&pullRequest=418)
martinr92 (Migrated from gitlab.com) merged commit into develop 2025-04-19 12:29:52 +00:00
martinr92 commented 2025-04-19 16:24:51 +00:00 (Migrated from gitlab.com)
Copy link

🎉 This MR is included in version 0.8.0-beta.1 🎉

The release is available on GitLab release.

Your semantic-release bot 📦 🚀

:tada: This MR is included in version 0.8.0-beta.1 :tada: The release is available on [GitLab release](https://gitlab.com/marty-media/server/-/releases/v0.8.0-beta.1). Your **[semantic-release](https://github.com/semantic-release/semantic-release)** bot :package: :rocket:
martinr92 commented 2025-04-27 10:35:11 +00:00 (Migrated from gitlab.com)
Copy link

🎉 This MR is included in version 0.8.0 🎉

The release is available on GitLab release.

Your semantic-release bot 📦 🚀

:tada: This MR is included in version 0.8.0 :tada: The release is available on [GitLab release](https://gitlab.com/marty-media/server/-/releases/v0.8.0). Your **[semantic-release](https://github.com/semantic-release/semantic-release)** bot :package: :rocket:
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

   
confirmed

   
critical

   
dependencies
Pull requests that update a dependency file

  
discussion

   
docker

   
documentation

   
enhancement

   
go

   
javascript

   
security
Pull requests that address a security vulnerability

  
severity:high

   
severity:low

   
severity:moderate

   
suggestion

   
support
No labels
bug
confirmed
critical
dependencies
discussion
docker
documentation
enhancement
go
javascript
security
severity:high
severity:low
severity:moderate
suggestion
support
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
marty-media/server!442
No description provided.