watson/octubre
1
0
Fork 0
Code Issues 6 Pull requests 8 Projects Releases Packages Wiki Activity Actions

Update dependency vite to v7.1.11 [SECURITY] #60

Merged
Renovater merged 1 commit from renovate/npm-vite-vulnerability into master 2025-10-26 12:58:18 +01:00
Conversation 0 Commits 1 Files changed 2 +5 -5
Renovater commented 2025-10-26 10:02:43 +01:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Confidence
vite (source) 7.1.10 -> 7.1.11 age confidence

vite allows server.fs.deny bypass via backslash on Windows

CVE-2025-62522 / GHSA-93m4-6634-74q7

More information

Details

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • running the dev server on Windows
Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173
image

Severity

  • CVSS Score: 6.0 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

vitejs/vite (vite)

v7.1.11

Compare Source

Bug Fixes
Miscellaneous Chores
Code Refactoring
Build System

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [vite](https://vite.dev) ([source](https://github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`7.1.10` -> `7.1.11`](https://renovatebot.com/diffs/npm/vite/7.1.10/7.1.11) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/7.1.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/7.1.10/7.1.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### vite allows server.fs.deny bypass via backslash on Windows [CVE-2025-62522](https://nvd.nist.gov/vuln/detail/CVE-2025-62522) / [GHSA-93m4-6634-74q7](https://github.com/advisories/GHSA-93m4-6634-74q7) <details> <summary>More information</summary> #### Details ##### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ##### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ##### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ##### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` <img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175" /> #### Severity - CVSS Score: 6.0 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7](https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7) - [https://nvd.nist.gov/vuln/detail/CVE-2025-62522](https://nvd.nist.gov/vuln/detail/CVE-2025-62522) - [https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed](https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed) - [https://github.com/vitejs/vite](https://github.com/vitejs/vite) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-93m4-6634-74q7) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v7.1.11`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-7111-2025-10-20-small) [Compare Source](https://github.com/vitejs/vite/compare/v7.1.10...v7.1.11) ##### Bug Fixes - **dev:** trim trailing slash before `server.fs.deny` check ([#&#8203;20968](https://github.com/vitejs/vite/issues/20968)) ([f479cc5](https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed)) ##### Miscellaneous Chores - **deps:** update all non-major dependencies ([#&#8203;20966](https://github.com/vitejs/vite/issues/20966)) ([6fb41a2](https://github.com/vitejs/vite/commit/6fb41a260bda443685e719ea4765d3faca3db944)) ##### Code Refactoring - use subpath imports for types module reference ([#&#8203;20921](https://github.com/vitejs/vite/issues/20921)) ([d0094af](https://github.com/vitejs/vite/commit/d0094af639d9ebbb51d4e00910b74f23eb8fe131)) ##### Build System - remove cjs reference in files field ([#&#8203;20945](https://github.com/vitejs/vite/issues/20945)) ([ef411ce](https://github.com/vitejs/vite/commit/ef411cee2696af3ba791879fdae9aad165f178b2)) - remove hash from built filenames ([#&#8203;20946](https://github.com/vitejs/vite/issues/20946)) ([a817307](https://github.com/vitejs/vite/commit/a81730754d655d1371ce0f4354af1c84e12f9f2d)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTkuMyIsInVwZGF0ZWRJblZlciI6IjQxLjE1OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Renovater added 1 commit 2025-10-26 10:02:44 +01:00
Renovater scheduled this pull request to auto merge when all checks succeed 2025-10-26 10:02:44 +01:00
Renovater force-pushed renovate/npm-vite-vulnerability from 96829e54a4 to 2c72c461e4 2025-10-26 12:58:15 +01:00 Compare
Renovater merged commit 385353ac1e into master 2025-10-26 12:58:18 +01:00
Renovater deleted branch renovate/npm-vite-vulnerability 2025-10-26 12:58:18 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: watson/octubre#60
No description provided.
Delete branch "renovate/npm-vite-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?