Update dependency vite to v6.1.6 [SECURITY] #5431

openverse-bot · 2025-05-30T15:08:06Z

This PR contains the following updates:

Package	Type	Update	Change
vite (source)	devDependencies	minor	`6.0.11` -> `6.1.6`

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
content of non-allowed files is exposed using ?raw?import

/@fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

`.svg`

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@&#8203;fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

CVE-2025-32395

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

explicitly exposing the Vite dev server to the network (using --host or server.host config option)
running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@&#8203;fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

Release Notes

vitejs/vite (vite)

`v6.1.6`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.5`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.4`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.3`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.2`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.1`

Compare Source

fix: ensure .[cm]?[tj]sx? static assets are JS mime (#19453) (e7ba55e), closes #19453
fix: ignore *.ipv4 address in cert (#19416) (973283b), closes #19416
fix(css): run rewrite plugin if postcss plugin exists (#19371) (bcdb51a), closes #19371
fix(deps): bump tsconfck (#19375) (746a583), closes #19375
fix(deps): update all non-major dependencies (#19392) (60456a5), closes #19392
fix(deps): update all non-major dependencies (#19440) (ccac73d), closes #19440
fix(html): ignore malformed src attrs (#19397) (aff7812), closes #19397
fix(worker): fix web worker type detection (#19462) (edc65ea), closes #19462
refactor: remove custom .jxl mime (#19457) (0c85464), closes #19457
feat: add support for injecting debug IDs (#18763) (0ff556a), closes #18763
chore: update 6.1.0 changelog (#19363) (fa7c211), closes #19363

`v6.1.0`

Compare Source

Features

feat: show hosts in cert in CLI (#19317) (a5e306f), closes #19317
feat: support for env var for defining allowed hosts (#19325) (4d88f6c), closes #19325
feat: use native runtime to import the config (#19178) (7c2a794), closes #19178
feat: print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0), closes #19212
perf(css): only run postcss when needed (#19061) (30194fa), closes #19061
feat: add support for .jxl (#18855) (57b397c), closes #18855
feat: add the builtins environment resolve (#18584) (2c2d521), closes #18584
feat: call Logger for plugin logs in build (#13757) (bf3e410), closes #13757
feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b), closes #19259
feat: expose createServerModuleRunnerTransport (#18730) (8c24ee4), closes #18730
feat: support async for proxy.bypass (#18940) (a6b9587), closes #18940
feat: support log related functions in dev (#18922) (3766004), closes #18922
feat: use module runner to import the config (#18637) (b7e0e42), closes #18637
feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985), closes #19072
feat(optimizer): support bun text lockfile (#18403) (05b005f), closes #18403
feat(reporter): add wasm to the compressible assets regex (#19085) (ce84142), closes #19085
feat(worker): support dynamic worker option fields (#19010) (d0c3523), closes #19010

Fixes

fix: avoid builtStart during vite optimize (#19356) (fdb36e0), closes #19356
fix(build): fix stale build manifest on watch rebuild (#19361) (fcd5785), closes #19361
fix: allow expanding env vars in reverse order (#19352) (3f5f2bd), closes #19352
fix: avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf), closes #19324
fix(html): fix css disorder when building multiple entry html (#19143) (e7b4ba3), closes #19143
fix: don't call buildStart hooks for vite optimize (#19347) (19ffad0), closes #19347
fix: don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d), closes #19318
fix: respect top-level server.preTransformRequests (#19272) (12aaa58), closes #19272
fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6), closes #19313
fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373), closes #19268 #19269
fix(deps): update all non-major dependencies (#19296) (2bea7ce), closes #19296
fix(resolve): preserve hash/search of file url (#19300) (d1e1b24), closes #19300
fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b), closes #19312
fix(ssr): fix transform error due to export all id scope (#19331) (e28bce2), closes #19331
fix(ssr): pretty print plugin error in ssrLoadModule (#19290) (353c467), closes #19290
fix: change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3), closes #19210
fix: correctly resolve hmr dep ids and fallback to url (#18840) (b84498b), closes #18840
fix: make --force work for all environments (#18901) (51a42c6), closes #18901
fix: use loc.file from rollup errors if available (#19222) (ce3fe23), closes #19222
fix(deps): update all non-major dependencies (#19190) (f2c07db), closes #19190
fix(hmr): register inlined assets as a dependency of CSS file (#18979) (eb22a74), closes #18979
fix(resolve): support resolving TS files by JS extension specifiers in JS files (#18889) (612332b), closes #18889
fix(ssr): combine empty source mappings (#19226) (ba03da2), closes #19226
fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #1 (56ad2be), closes #19245 #18875 #19247

Chore

refactor: deprecate vite optimize command (#19348) (6e0e3c0), closes #19348
chore: update deprecate links domain (#19353) (2b2299c), closes #19353
docs: rephrase browser range and features relation (#19286) (97569ef), closes #19286
docs: update build.manifest jsdocs (#19332) (4583781), closes #19332
chore: remove outdated code comment about scanImports not being used in ssr (#19285) (fbbc6da), closes #19285
chore: unneeded name in lockfileFormats (#19275) (96092cb), closes #19275
chore(deps): update dependency strip-literal to v3 (#19231) (1172d65), closes #19231

Beta Changelogs

Please refer to CHANGELOG.md for details.

`v6.0.14`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.13`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.12`

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

github-actions · 2025-05-30T15:19:17Z

Latest k6 run output¹

     ✓ status was 200

     checks.........................: 100.00% ✓ 396      ✗ 0   
     data_received..................: 92 MB   384 kB/s
     data_sent......................: 52 kB   215 B/s
     http_req_blocked...............: avg=81.83µs  min=2.31µs   med=4.85µs   max=2.28ms  p(90)=158.33µs p(95)=352.85µs
     http_req_connecting............: avg=59.47µs  min=0s       med=0s       max=2.19ms  p(90)=106.35µs p(95)=190.43µs
     http_req_duration..............: avg=155.66ms min=16.95ms  med=100.64ms max=1.02s   p(90)=354.08ms p(95)=431.6ms 
       { expected_response:true }...: avg=155.66ms min=16.95ms  med=100.64ms max=1.02s   p(90)=354.08ms p(95)=431.6ms 
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 396 
     http_req_receiving.............: avg=211.48µs min=59.64µs  med=144.61µs max=14.61ms p(90)=266.31µs p(95)=332.51µs
     http_req_sending...............: avg=35.84µs  min=6.81µs   med=22.22µs  max=2.32ms  p(90)=42.04µs  p(95)=80.12µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s      p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=155.41ms min=16.82ms  med=100.5ms  max=1.02s   p(90)=353.8ms  p(95)=430.65ms
     http_reqs......................: 396     1.647378/s
     iteration_duration.............: avg=851.88ms min=249.87ms med=915.16ms max=1.69s   p(90)=1.15s    p(95)=1.52s   
     iterations.....................: 73      0.303683/s
     vus............................: 0       min=0      max=6 
     vus_max........................: 60      min=60     max=60

This comment will automatically update with new output each time k6 runs for this PR ↩

Update dependency vite to v6.1.6 [SECURITY]

2c8451c

openverse-bot requested a review from a team as a code owner May 30, 2025 15:08

openverse-bot added dependencies Pull requests that update a dependency file 💻 aspect: code Concerns the software code in the repository 🟨 tech: javascript Involves JavaScript 🟩 priority: low Low priority and doesn't need to be rushed labels May 30, 2025

openverse-bot requested a review from obulat May 30, 2025 15:08

openverse-bot added 🧰 goal: internal improvement Improvement that benefits maintainers, not users 🧱 stack: frontend Related to the Nuxt frontend labels May 30, 2025

openverse-bot requested a review from dhruvkb May 30, 2025 15:08

openverse-bot added this to Openverse PRs May 30, 2025

openverse-bot moved this to 👀 Needs Review in Openverse PRs May 30, 2025

dhruvkb approved these changes May 31, 2025

View reviewed changes

openverse-bot moved this from 👀 Needs Review to ✅ Approved in Openverse PRs May 31, 2025

dhruvkb merged commit 28413be into main May 31, 2025
123 of 124 checks passed

dhruvkb deleted the gha-renovatenpm-vite-vulnerability branch May 31, 2025 08:48

github-project-automation bot moved this from ✅ Approved to 🤝 Merged in Openverse PRs May 31, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update dependency vite to v6.1.6 [SECURITY] #5431

Update dependency vite to v6.1.6 [SECURITY] #5431

Uh oh!

openverse-bot commented May 30, 2025

Uh oh!

github-actions bot commented May 30, 2025

Uh oh!

Uh oh!

Uh oh!

Update dependency vite to v6.1.6 [SECURITY] #5431

Update dependency vite to v6.1.6 [SECURITY] #5431

Uh oh!

Conversation

openverse-bot commented May 30, 2025

GitHub Vulnerability Alerts

Summary

Impact

Details

PoC

Summary

Impact

Details

PoC

Summary

Impact

Details

.svg

relative paths

PoC

Summary

Impact

Details

PoC

Summary

Impact

Details

PoC

Release Notes

Features

Fixes

Chore

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

6.1.0-beta.1 (2025-02-04)

6.1.0-beta.0 (2025-01-24)

Configuration

Uh oh!

github-actions bot commented May 30, 2025

Latest k6 run output1

Footnotes

Uh oh!

Uh oh!

Uh oh!

`.svg`

Latest k6 run output¹