This repository was archived by the owner on Jun 13, 2023. It is now read-only.
chore(deps): update dependency vite to v4.1.5 [security] #46
+5
−5
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.1.4
->4.1.5
GitHub Vulnerability Alerts
CVE-2023-34092
Summary
Vite Server Options (
server.fs.deny
) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the defaultfs.deny
settings (['.env', '.env.*', '*.{crt,pem}']
)Impact
Only users explicitly exposing the Vite dev server to the network (using
--host
orserver.host
config option) are affected, and only files in the immediate Vite project root folder could be exposed.Patches
Fixed in [email protected], [email protected], [email protected], [email protected]
And in the latest minors of the previous two majors: [email protected], [email protected]
Details
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
PoC
//
) (e.g://.env
,//.env.local
)fs.deny
restrict successfully bypassed.Proof Images:


Release Notes
vitejs/vite
v4.1.5
Compare Source
Please refer to CHANGELOG.md for details.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.