Homepage

vite@6.0.1 vulnerabilities

Native-ESM powered web dev build tool

  • latest version

    6.3.2

  • latest non vulnerable version

    6.3.2

  • first published

    4 years ago

  • latest version published

    1 days ago

  • licenses detected

  • View vite package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Information Exposure

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Information Exposure due to the handling of req.url which may contain unexpected characters such as #. An attacker can access and retrieve the contents of arbitrary files by sending specially crafted requests that bypass the server.fs.deny checks.

    Note:

    This is only exploitable if the Vite dev server is explicitly exposed to the network and running on Node or Bun runtimes, excluding Deno.

    How to fix Information Exposure?

    Upgrade vite to version 4.5.13, 5.4.18, 6.0.15, 6.1.5, 6.2.6 or higher.

    <4.5.13>=5.0.0 <5.4.18>=6.0.0 <6.0.15>=6.1.0 <6.1.5>=6.2.0 <6.2.6
    • H
    Incorrect Authorization

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Incorrect Authorization via the bypass of the server.fs.deny restriction. An attacker can access restricted files by appending ?.svg with ?.wasm?init or with sec-fetch-dest: script header to the requests.

    Note:

    This is only exploitable if the file is smaller than the build.assetsInlineLimit (default: 4kB), when using Vite 6.0+ and when the Vite dev server is explicitly exposed to the network (using --host or server.host config option.

    How to fix Incorrect Authorization?

    Upgrade vite to version 4.5.12, 5.4.17, 6.0.14, 6.1.4, 6.2.5 or higher.

    <4.5.12>=5.0.0 <5.4.17>=6.0.0 <6.0.14>=6.1.0 <6.1.4>=6.2.0 <6.2.5
    • M
    Access Control Bypass

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Access Control Bypass through the server.fs.deny configuration, which is bypassed when using ?import query with inline and raw parameters. An attacker can read arbitrary files and return their content if they exist by crafting a URL that includes specific query parameters.

    How to fix Access Control Bypass?

    Upgrade vite to version 4.5.11, 5.4.16, 6.0.13, 6.1.3, 6.2.4 or higher.

    <4.5.11>=5.0.0 <5.4.16>=6.0.0 <6.0.13>=6.1.0 <6.1.3>=6.2.0 <6.2.4
    • M
    Incorrect Authorization

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Incorrect Authorization due to missing checks in transformMiddleware() which ignore certain query parameters. An attacker can access unauthorized files by including a ?raw?? or ?import&raw?? URL parameter. The allow list used by server.fs.deny() is not checked when handling these queries and the file contents are returned.

    Note: The dev server is configured by default to be inaccessible. This is only exploitable if the dev server is exposed to the network with either the --host command line option or server.host config option.

    How to fix Incorrect Authorization?

    Upgrade vite to version 4.5.10, 5.4.15, 6.0.12, 6.1.2, 6.2.3 or higher.

    <4.5.10>=5.0.0 <5.4.15>=6.0.0 <6.0.12>=6.1.0 <6.1.2>=6.2.0 <6.2.3
    • M
    Origin Validation Error

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Origin Validation Error due to default CORS settings and lack of validation on the Origin header for WebSocket connections, making any websites able to send any requests to the development server and read the response. An attacker can intercept and manipulate requests by sending crafted WebSocket requests from unauthorized origins.

    Note:

    Additionally to upgrading to a fixed version, the following configurations need to be made to fix the vulnerability:

    1. If the backend integration feature is used and server.origin is not set, the origin of the backend server needs to be added to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server;

    2. If a reverse proxy is used in front of Vite and requests are sent to Vite with a hostname other than localhost or *.localhost, the hostname needs to be added to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, vite needs to be added to the server.allowedHosts option;

    3. If the development server is accessed via a domain other than localhost or *.localhost the hostname needs to be added to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option;

    4. If a plugin / framework is used that connects to the WebSocket server on their own from the browser and the WebSocket connection appears not to be working after upgrading to a fixed version, it is recommended to either fix the plugin / framework code to the make it compatible with the new version or to set legacy.skipWebSocketTokenCheck: true to opt-out the fix for "Lack of validation on the Origin header for WebSocket connections" while the plugin / framework is incompatible with the new version of Vite. When enabling this option, make sure that you are aware of the security implications of this vulnerability.

    How to fix Origin Validation Error?

    Upgrade vite to version 4.5.6, 5.4.12, 6.0.9 or higher.

    <4.5.6>=5.0.0 <5.4.12>=6.0.0 <6.0.9
    Go back to all versions of this package