chore(deps): update dependency vite to v7 [security] #19

renovate · 2025-01-23T03:28:40Z

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	`^3.2.8` -> `^7.0.0`

GitHub Vulnerability Alerts

CVE-2025-24010

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Warning

This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

Using the backend integration feature
Using a reverse proxy in front of Vite
Accessing the development server via a domain other than localhost or *.localhost
Using a plugin / framework that connects to the WebSocket server on their own from the browser

Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

Accessing the development server via a domain other than `localhost` or `*.localhost`

You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.

Using a plugin / framework that connects to the WebSocket server on their own from the browser

If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.

In that case, you can either:

fix the plugin / framework code to the make it compatible with the new version of Vite
set legacy.skipWebSocketTokenCheck: true to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite
- When enabling this option, make sure that you are aware of the security implications described in the impact section of [2] above.

Mitigation without upgrading Vite

[1]: Permissive default CORS settings

Set server.cors to false or limit server.cors.origin to trusted origins.

[2]: Lack of validation on the Origin header for WebSocket connections

There aren't any mitigations for this.

[3]: Lack of validation on the Host header for HTTP requests

Use Chrome 94+ or use HTTPS for the development server.

Details

There are three causes that allowed malicious websites to send any requests to the development server:

[1]: Permissive default CORS settings

Vite sets the Access-Control-Allow-Origin header depending on server.cors option. The default value was true which sets Access-Control-Allow-Origin: *. This allows websites on any origin to fetch contents served on the development server.

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker sends a fetch('http://127.0.0.1:5173/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
The attacker gets the content of http://127.0.0.1:5173/main.js.

[2]: Lack of validation on the Origin header for WebSocket connections

Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server did not perform validation on the Origin header and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection (list of the file paths that changed, the file content where the errored happened, etc.), but plugins can send arbitrary messages and may include more sensitive information.

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker runs new WebSocket('http://127.0.0.1:5173', 'vite-hmr') by JS in that malicious web page.
The user edits some files.
Vite sends some HMR messages over WebSocket.
The attacker gets the content of the HMR messages.

[3]: Lack of validation on the Host header for HTTP requests

Unless server.https is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.

The attacker serves a malicious web page that is served on HTTP (http://malicious.example.com:5173) (HTTPS won't work).
The user accesses the malicious web page.
The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
The attacker sends a fetch('/main.js') request by JS in that malicious web page.
The attacker gets the content of http://127.0.0.1:5173/main.js bypassing the same origin policy.

Impact

[1]: Permissive default CORS settings

Users with the default server.cors option may:

get the source code stolen by malicious websites
give the attacker access to functionalities that are not supposed to be exposed externally
- Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

[2]: Lack of validation on the Origin header for WebSocket connections

All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.

[3]: Lack of validation on the Host header for HTTP requests

Users using HTTP for the development server and using a browser that is not Chrome 94+ may:

get the source code stolen by malicious websites
give the attacker access to functionalities that are not supposed to be exposed externally
- Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

Chrome 94+ users are not affected for [3], because sending a request to a private network page from public non-HTTPS page is forbidden since Chrome 94.

Related Information

Safari has a bug that blocks requests to loopback addresses from HTTPS origins. This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.

PoC

[2]: Lack of validation on the Origin header for WebSocket connections

I used the react template which utilizes HMR functionality.

npm create vite@latest my-vue-app-react -- --template react

Then on a malicious server, serve the following POC html:

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>

Kick off Vite

npm run dev

Load the development server (open http://localhost:5173/) as well as the malicious page in the browser.
Edit src/App.jsx file and intentionally place a syntax error
Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed

Here's a video demonstrating the POC:

vite-cswsh.mov

Release Notes

vitejs/vite (vite)

`v7.0.4`

Compare Source

Bug Fixes

allow resolving bare specifiers to relative paths for entries (#20379) (324669c)

Build System

remove @oxc-project/runtime devDep (#20389) (5e29602)

`v7.0.3`

Compare Source

Bug Fixes

client: protect against window being defined but addEv undefined (#20359) (31d1467)
define: replace optional values (#20338) (9465ae1)
deps: update all non-major dependencies (#20366) (43ac73d)

Miscellaneous Chores

deps: update dependency dotenv to v17 (#20325) (45040d4)
deps: update dependency rolldown to ^1.0.0-beta.24 (#20365) (5ab25e7)
use n/prefer-node-protocol rule (#20368) (38bb268)

Code Refactoring

minor changes to reduce diff between normal Vite and rolldown-vite (#20354) (2e8050e)

`v7.0.2`

Compare Source

Bug Fixes

css: resolve relative paths in sass, revert #20300 (#20349) (db8bd41)

`v7.0.1`

Compare Source

Bug Fixes

css: skip resolving resolved paths in sass (#20300) (ac528a4)
deps: update all non-major dependencies (#20324) (3e81af3)
types: add a global interface for Worker (#20243) (37bdfc1)

Miscellaneous Chores

deps: update rolldown-related dependencies (#20323) (30d2f1b)
fix typos and grammatical errors across documentation and comments (#20337) (c1c951d)
group commits by category in changelog (#20310) (41e83f6)
rearrange 7.0 changelog (#20280) (eafd28a)

`v7.0.0`

Compare Source

fix: keep import.meta.url in bundled Vite (#20235) (3bf3a8a), closes #20235
fix(deps): update all non-major dependencies (#20271) (6b64d63), closes #20271
fix(module-runner): export ssrExportNameKey (#20266) (ac302a7), closes #20266
fix(module-runner): expose normalizeModuleId (#20277) (9b98dcb), closes #20277
feat(types): use terser types from terser package (#20274) (a5799fa), closes #20274
chore: "indentity" → "identity" in test description (#20225) (ea9aed7), closes #20225
chore: typos in comments (#20259) (b135918), closes #20259
chore(deps): update rolldown-related dependencies (#20270) (f7377c3), closes #20270
perf(utils): improve performance of numberToPos (#20244) (3f46901), closes #20244

`v6.3.5`

Compare Source

fix(ssr): handle uninitialized export access as undefined (#19959) (fd38d07), closes #19959

`v6.3.4`

Compare Source

fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965
fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940
refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

`v6.3.3`

Compare Source

fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853
fix(assets): ensure ?no-inline is not included in the asset url in the production environment (#1949 (16a73c0), closes #19496
fix(css): resolve relative imports in sass properly on Windows (#19920) (ffab442), closes #19920
fix(deps): update all non-major dependencies (#19899) (a4b500e), closes #19899
fix(ssr): fix execution order of re-export (#19841) (ed29dee), closes #19841
fix(ssr): fix live binding of default export declaration and hoist exports getter (#19842) (80a91ff), closes #19842
perf: skip sourcemap generation for renderChunk hook of import-analysis-build plugin (#19921) (55cfd04), closes #19921
test(ssr): test ssrTransform re-export deps and test stacktrace with first line (#19629) (9399cda), closes #19629

`v6.3.2`

Compare Source

fix: match default asserts case insensitive (#19852) (cbdab1d), closes #19852
fix: open first url if host does not match any urls (#19886) (6abbdce), closes #19886
fix(css): respect css.lightningcss option in css minification process (#19879) (b5055e0), closes #19879
fix(deps): update all non-major dependencies (#19698) (bab4cb9), closes #19698
feat(css): improve lightningcss messages (#19880) (c713f79), closes #19880

`v6.3.1`

Compare Source

fix: avoid using Promise.allSettled in preload function (#19805) (35c7f35), closes #19805
fix: backward compat for internal plugin transform calls (#19878) (a152b7c), closes #19878

`v6.3.0`

Compare Source

fix(hmr): avoid infinite loop happening with hot.invalidate in circular deps (#19870) (d4ee5e8), closes #19870
fix(preview): use host url to open browser (#19836) (5003434), closes #19836

`v6.2.7`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.6`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.5`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.4`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.3`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.2`

Compare Source

fix: await client buildStart on top level buildStart (#19624) (b31faab), closes #19624
fix(css): inline css correctly for double quote use strict (#19590) (d0aa833), closes #19590
fix(deps): update all non-major dependencies (#19613) (363d691), closes #19613
fix(indexHtml): ensure correct URL when querying module graph (#19601) (dc5395a), closes #19601
fix(preview): use preview https config, not server (#19633) (98b3160), closes #19633
fix(ssr): use optional chaining to prevent "undefined is not an object" happening in `ssrRewriteStac (4309755), closes #19612
feat: show friendly error for malformed base (#19616) (2476391), closes #19616
feat(worker): show asset filename conflict warning (#19591) (367d968), closes #19591
chore: extend commit hash correctly when ambigious with a non-commit object (#19600) (89a6287), closes #19600

`v6.2.1`

Compare Source

refactor: remove isBuild check from preAliasPlugin (#19587) (c9e086d), closes #19587
refactor: restore endsWith usage (#19554) (6113a96), closes #19554
refactor: use applyToEnvironment in internal plugins (#19588) (f678442), closes #19588
fix(css): stabilize css module hashes with lightningcss in dev mode (#19481) (92125b4), closes #19481
fix(deps): update all non-major dependencies (#19555) (f612e0f), closes #19555
fix(reporter): fix incorrect bundle size calculation with non-ASCII characters (#19561) (437c0ed), closes #19561
fix(sourcemap): combine sourcemaps with multiple sources without matched source (#18971) (e3f6ae1), closes #18971
fix(ssr): named export should overwrite export all (#19534) (2fd2fc1), closes #19534
feat: add *?url&no-inline type and warning for .json?inline / .json?no-inline (#19566) (c0d3667), closes #19566
test: add glob import test case (#19516) (aa1d807), closes #19516
test: convert config playground to unit tests (#19568) (c0e68da), closes #19568
test: convert resolve-config playground to unit tests (#19567) (db5fb48), closes #19567
perf: flush compile cache after 10s (#19537) (6c8a5a2), closes #19537
chore(css): move environment destructuring after condition check (#19492) (c9eda23), closes #19492
chore(html): remove unnecessary value check (#19491) (797959f), closes #19491

`v6.2.0`

Compare Source

fix(deps): update all non-major dependencies (#19501) (c94c9e0), closes #19501
fix(worker): string interpolation in dynamic worker options (#19476) (07091a1), closes #19476
chore: use unicode cross icon instead of x (#19497) (5c70296), closes #19497

`v6.1.6`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.5`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.4`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.3`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.2`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.1`

Compare Source

fix: ensure .[cm]?[tj]sx? static assets are JS mime (#19453) (e7ba55e), closes #19453
fix: ignore *.ipv4 address in cert (#19416) (973283b), closes #19416
fix(css): run rewrite plugin if postcss plugin exists (#19371) (bcdb51a), closes #19371
fix(deps): bump tsconfck (#19375) (746a583), closes #19375
fix(deps): update all non-major dependencies (#19392) (60456a5), closes #19392
fix(deps): update all non-major dependencies (#19440) (ccac73d), closes #19440
fix(html): ignore malformed src attrs (#19397) (aff7812), closes #19397
fix(worker): fix web worker type detection (#19462) (edc65ea), closes #19462
refactor: remove custom .jxl mime (#19457) (0c85464), closes #19457
feat: add support for injecting debug IDs (#18763) (0ff556a), closes #18763
chore: update 6.1.0 changelog (#19363) (fa7c211), closes #19363

`v6.1.0`

Compare Source

Features

feat: show hosts in cert in CLI (#19317) (a5e306f), closes #19317
feat: support for env var for defining allowed hosts (#19325) (4d88f6c), closes #19325
feat: use native runtime to import the config (#19178) (7c2a794), closes #19178
feat: print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0), closes #19212
perf(css): only run postcss when needed (#19061) (30194fa), closes #19061
feat: add support for .jxl (#18855) (57b397c), closes #18855
feat: add the builtins environment resolve (#18584) (2c2d521), closes #18584
feat: call Logger for plugin logs in build (#13757) (bf3e410), closes #13757
feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b), closes #19259
feat: expose createServerModuleRunnerTransport (#18730) (8c24ee4), closes #18730
feat: support async for proxy.bypass (#18940) (a6b9587), closes #18940
feat: support log related functions in dev (#18922) (3766004), closes #18922
feat: use module runner to import the config (#18637) (b7e0e42), closes #18637
feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985), closes #19072
feat(optimizer): support bun text lockfile (#18403) (05b005f), closes #18403
feat(reporter): add wasm to the compressible assets regex (#19085) (ce84142), closes #19085
feat(worker): support dynamic worker option fields (#19010) (d0c3523), closes #19010

Fixes

fix: avoid builtStart during vite optimize (#19356) (fdb36e0), closes #19356
fix(build): fix stale build manifest on watch rebuild (#19361) (fcd5785), closes #19361
fix: allow expanding env vars in reverse order (#19352) (3f5f2bd), closes #19352
fix: avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf), closes #19324
fix(html): fix css disorder when building multiple entry html (#19143) (e7b4ba3), closes #19143
fix: don't call buildStart hooks for vite optimize (#19347) (19ffad0), closes #19347
fix: don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d), closes #19318
fix: respect top-level server.preTransformRequests (#19272) (12aaa58), closes #19272
fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6), closes #19313
fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373), closes #19268 #19269
fix(deps): update all non-major dependencies (#19296) (2bea7ce), closes #19296
fix(resolve): preserve hash/search of file url (#19300) (d1e1b24), closes #19300
fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b), closes #19312
fix(ssr): fix transform error due to export all id scope (#19331) (e28bce2), closes #19331
fix(ssr): pretty print plugin error in ssrLoadModule (#19290) (353c467), closes #19290
fix: change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3), closes #19210
fix: correctly resolve hmr dep ids and fallback to url (#18840) (b84498b), closes #18840
fix: make --force work for all environments (#18901) (51a42c6), closes #18901
fix: use loc.file from rollup errors if available (#19222) (ce3fe23), closes #19222
fix(deps): update all non-major dependencies (#19190) (f2c07db), closes #19190
fix(hmr): register inlined assets as a dependency of CSS file (#18979) (eb22a74), closes #18979
fix(resolve): support resolving TS files by JS extension specifiers in JS files (#18889) (612332b), closes #18889
fix(ssr): combine empty source mappings (#19226) (ba03da2), closes #19226
fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #1 (56ad2be), closes #19245 #18875 #19247

Chore

refactor: deprecate vite optimize command (#19348) (6e0e3c0), closes #19348
chore: update deprecate links domain (#19353) (2b2299c), closes #19353
docs: rephrase browser range and features relation (#19286) (97569ef), closes #19286
docs: update build.manifest jsdocs (#19332) (4583781), closes #19332
chore: remove outdated code comment about scanImports not being used in ssr (#19285) (fbbc6da), closes #19285
chore: unneeded name in lockfileFormats (#19275) (96092cb), closes #19275
chore(deps): update dependency strip-literal to v3 (#19231) (1172d65), closes #19231

Beta Changelogs

Please refer to CHANGELOG.md for details.

`v6.0.14`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.13`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.12`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.11`

Compare Source

fix: preview.allowedHosts with specific values was not respected (#19246) (aeb3ec8), closes #19246
fix: allow CORS from loopback addresses by default (#19249) ([3d03899](https://redirect.github.com/vitejs/vit

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 0da8de8 to 9b48dfa Compare January 25, 2025 03:05

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Jan 25, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 9b48dfa to d897cbd Compare January 26, 2025 06:48

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Jan 26, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from d897cbd to 1eafdda Compare January 31, 2025 07:58

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Jan 31, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 1eafdda to 39d9273 Compare February 2, 2025 10:48

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Feb 2, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 39d9273 to 07a1453 Compare February 11, 2025 03:26

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Feb 11, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 07a1453 to 92c2556 Compare February 15, 2025 07:22

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Feb 15, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 92c2556 to 1511c9e Compare March 6, 2025 03:54

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Mar 6, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 1511c9e to a5ab4ca Compare March 8, 2025 04:04

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Mar 8, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from a5ab4ca to c8af7cb Compare March 13, 2025 07:48

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Mar 13, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from c8af7cb to ae3eb9c Compare March 15, 2025 12:11

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Mar 15, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ae3eb9c to 82ffc9b Compare March 19, 2025 03:50

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Mar 19, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 82ffc9b to 5580fbf Compare March 22, 2025 03:36

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Mar 22, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 5580fbf to 124dd91 Compare April 1, 2025 23:44

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Apr 1, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 124dd91 to 7489490 Compare April 3, 2025 23:49

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Apr 3, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 7489490 to 8e4ea0a Compare April 12, 2025 03:45

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Apr 12, 2025

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Apr 26, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from c5f1e37 to 5b9d265 Compare April 27, 2025 08:09

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Apr 27, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 5b9d265 to 3d64c63 Compare May 10, 2025 00:08

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] May 10, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 3d64c63 to fcd12bf Compare May 10, 2025 19:37

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] May 10, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from fcd12bf to 771e5b5 Compare May 17, 2025 11:43

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] May 17, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 771e5b5 to aff1be9 Compare May 18, 2025 16:06

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] May 18, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from aff1be9 to 3f83a73 Compare May 24, 2025 11:32

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] May 24, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 3f83a73 to b745a9f Compare May 25, 2025 19:59

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] May 25, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from b745a9f to 032bcd5 Compare May 31, 2025 15:59

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] May 31, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 032bcd5 to 3353e7f Compare June 1, 2025 15:32

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Jun 1, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 3353e7f to eabfa87 Compare June 6, 2025 15:58

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Jun 6, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from eabfa87 to 4d26b5a Compare June 8, 2025 10:06

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Jun 8, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 4d26b5a to 2e2fd90 Compare June 22, 2025 19:55

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v6 [security] Jun 22, 2025

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 2e2fd90 to ad06ad3 Compare June 29, 2025 23:53

renovate bot changed the title ~~chore(deps): update dependency vite to v6 [security]~~ chore(deps): update dependency vite to v4 [security] Jun 29, 2025

chore(deps): update dependency vite to v7 [security]

e6781b8

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ad06ad3 to e6781b8 Compare July 12, 2025 08:11

renovate bot changed the title ~~chore(deps): update dependency vite to v4 [security]~~ chore(deps): update dependency vite to v7 [security] Jul 12, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency vite to v7 [security] #19

chore(deps): update dependency vite to v7 [security] #19

Uh oh!

renovate bot commented Jan 23, 2025 •

edited

Loading

Uh oh!

Uh oh!

chore(deps): update dependency vite to v7 [security] #19

Are you sure you want to change the base?

chore(deps): update dependency vite to v7 [security] #19

Uh oh!

Conversation

renovate bot commented Jan 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Summary

Upgrade Path

Using the backend integration feature

Using a reverse proxy in front of Vite

Accessing the development server via a domain other than localhost or *.localhost

Using a plugin / framework that connects to the WebSocket server on their own from the browser

Mitigation without upgrading Vite

[1]: Permissive default CORS settings

[2]: Lack of validation on the Origin header for WebSocket connections

[3]: Lack of validation on the Host header for HTTP requests

Details

[1]: Permissive default CORS settings

[2]: Lack of validation on the Origin header for WebSocket connections

[3]: Lack of validation on the Host header for HTTP requests

Impact

[1]: Permissive default CORS settings

[2]: Lack of validation on the Origin header for WebSocket connections

[3]: Lack of validation on the Host header for HTTP requests

Related Information

PoC

[2]: Lack of validation on the Origin header for WebSocket connections

Release Notes

Bug Fixes

Build System

Bug Fixes

Miscellaneous Chores

Code Refactoring

Bug Fixes

Bug Fixes

Miscellaneous Chores

Features

Fixes

Chore

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

6.1.0-beta.1 (2025-02-04)

6.1.0-beta.0 (2025-01-24)

Configuration

Uh oh!

Uh oh!

renovate bot commented Jan 23, 2025 •

edited

Loading

Accessing the development server via a domain other than `localhost` or `*.localhost`