Information Exposureorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as #. An attacker can access and retrieve the contents of arbitrary files by sending specially crafted requests that bypass the server.fs.deny checks.
Note:
This is only exploitable if the Vite dev server is explicitly exposed to the network and running on Node or Bun runtimes, excluding Deno.
How to fix Information Exposure? A fix was pushed into the master branch but not yet published.
| |
Access Control Bypassorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Access Control Bypass through the server.fs.deny configuration, which is bypassed when using ?import query with inline and raw parameters. An attacker can read arbitrary files and return their content if they exist by crafting a URL that includes specific query parameters.
How to fix Access Control Bypass? A fix was pushed into the master branch but not yet published.
| |
Incorrect Authorizationorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Incorrect Authorization via the bypass of the server.fs.deny restriction. An attacker can access restricted files by appending ?.svg with ?.wasm?init or with sec-fetch-dest: script header to the requests.
Note:
This is only exploitable if the file is smaller than the build.assetsInlineLimit (default: 4kB), when using Vite 6.0+ and when the Vite dev server is explicitly exposed to the network (using --host or server.host config option.
How to fix Incorrect Authorization? A fix was pushed into the master branch but not yet published.
| |
Incorrect Authorizationorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Incorrect Authorization due to missing checks in transformMiddleware() which ignore certain query parameters. An attacker can access unauthorized files by including a ?raw?? or ?import&raw?? URL parameter. The allow list used by server.fs.deny() is not checked when handling these queries and the file contents are returned.
Note: The dev server is configured by default to be inaccessible. This is only exploitable if the dev server is exposed to the network with either the --host command line option or server.host config option.
How to fix Incorrect Authorization? A fix was pushed into the master branch but not yet published.
| |
Origin Validation Errororg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Origin Validation Error due to default CORS settings and lack of validation on the Origin header for WebSocket connections, making any websites able to send any requests to the development server and read the response. An attacker can intercept and manipulate requests by sending crafted WebSocket requests from unauthorized origins.
Note:
Additionally to upgrading to a fixed version, the following configurations need to be made to fix the vulnerability:
If the backend integration feature is used and server.origin is not set, the origin of the backend server needs to be added to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server;
If a reverse proxy is used in front of Vite and requests are sent to Vite with a hostname other than localhost or *.localhost, the hostname needs to be added to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, vite needs to be added to the server.allowedHosts option;
If the development server is accessed via a domain other than localhost or *.localhost the hostname needs to be added to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option;
If a plugin / framework is used that connects to the WebSocket server on their own from the browser and the WebSocket connection appears not to be working after upgrading to a fixed version, it is recommended to either fix the plugin / framework code to the make it compatible with the new version or to set legacy.skipWebSocketTokenCheck: true to opt-out the fix for "Lack of validation on the Origin header for WebSocket connections" while the plugin / framework is incompatible with the new version of Vite. When enabling this option, make sure that you are aware of the security implications of this vulnerability.
How to fix Origin Validation Error? A fix was pushed into the master branch but not yet published.
| |
Information Exposureorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Information Exposure when using ?import&raw in the URL parameters. An attacker can access file contents that should be restricted by exploiting this bypass mechanism.
How to fix Information Exposure? Upgrade org.webjars.npm:vite to version 5.4.9 or higher.
| |
Cross-site Scripting (XSS)org.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the document.currentScript lookup mechanism when building scripts to cjs/iife/umd output format.
This vulnerability is exploitable on websites that allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.
How to fix Cross-site Scripting (XSS)? Upgrade org.webjars.npm:vite to version 5.4.9 or higher.
| |
Improper Access Controlorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through server.fs.deny configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests.
Note:
Only apps setting a custom server.fs.deny that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
How to fix Improper Access Control? Upgrade org.webjars.npm:vite to version 5.4.9 or higher.
| |
Access Control Bypassorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows.
How to fix Access Control Bypass? Upgrade org.webjars.npm:vite to version 5.4.9 or higher.
| |
Path Equivalenceorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Path Equivalence such that Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allowing any unauthenticated user to read files from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}']).
Note:
Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.
How to fix Path Equivalence? Upgrade org.webjars.npm:vite to version 5.4.9 or higher.
| |
Directory Traversalorg.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Directory Traversal. It allows attackers to perform a directory traversal via a crafted URL to the victim's service.
How to fix Directory Traversal? Upgrade org.webjars.npm:vite to version 2.9.13 or higher.
| |
