Skip to content
This repository was archived by the owner on Aug 5, 2025. It is now read-only.

chore(deps): update dependency vite to v3.2.7 [security]#56

Closed
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-vite-vulnerability/VF-000
Closed

chore(deps): update dependency vite to v3.2.7 [security]#56
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-vite-vulnerability/VF-000

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate bot commented Jun 6, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 3.2.2 -> 3.2.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-34092

Summary

The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directories

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

Patches

Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16

Details

Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.

PoC

  1. Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
  2. Serve the application on dev mode using pnpm run dev.
  3. Directly access the file from url using double forward-slash (//) (e.g: //.env, //.env.local)
  4. Server Options fs.deny restrict successfully bypassed.

Proof Images:
proof-1
proof-2

Release Notes

vitejs/vite (vite)

v3.2.7

Compare Source

Please refer to CHANGELOG.md for details.

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

v3.2.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added dependencies Pull requests that update a dependency file ready for review labels Jun 6, 2023
@renovate renovate bot requested review from jonahsnider and trs June 6, 2023 18:40
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 12 times, most recently from 5e1c2a6 to f9d4a95 Compare June 13, 2023 23:50
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 3 times, most recently from 2a699e2 to 60c81aa Compare June 16, 2023 20:24
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 10 times, most recently from f3d1d9b to e747b1d Compare July 12, 2023 22:15
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch from e747b1d to 610bb8f Compare July 14, 2023 02:20
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 4 times, most recently from 632636e to cbb9081 Compare August 9, 2023 13:55
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 12 times, most recently from 9ee0268 to 5f87e5b Compare August 26, 2023 05:38
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 2 times, most recently from 3b61ac3 to 62726b6 Compare August 30, 2023 19:11
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 6 times, most recently from 3261187 to 4a7e3b5 Compare September 28, 2023 21:27
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 3 times, most recently from e0a57be to 1e6bef9 Compare October 12, 2023 21:50
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch from 1e6bef9 to cca24f1 Compare October 12, 2023 21:57
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jonahsnider jonahsnider Awaiting requested review from jonahsnider

@trs trs Awaiting requested review from trs

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ready for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@effervescentia