[PR #469] [MERGED] chore(deps): update dependency vite to v6.2.4 [security] #772

Closed
opened 2025-11-01 21:03:53 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/469
Author: @renovate[bot]
Created: 3/31/2025
Status: Merged
Merged: 3/31/2025
Merged by: @kolaente

Base: mainHead: renovate/npm-vite-vulnerability


📝 Commits (1)

  • cef1c9c chore(deps): update dependency vite to v6.2.4 [security]

📊 Changes

2 files changed (+55 additions, -55 deletions)

View changed files

📝 frontend/package.json (+1 -1)
📝 frontend/pnpm-lock.yaml (+54 -54)

📄 Description

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 6.2.3 -> 6.2.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

  • base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
  • content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init


Release Notes

vitejs/vite (vite)

v6.2.4

Compare Source

Please refer to CHANGELOG.md for details.


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/469 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 3/31/2025 **Status:** ✅ Merged **Merged:** 3/31/2025 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `renovate/npm-vite-vulnerability` --- ### 📝 Commits (1) - [`cef1c9c`](https://github.com/go-vikunja/vikunja/commit/cef1c9cdd440c7b81bcaf52c4d5cc0c4232a8864) chore(deps): update dependency vite to v6.2.4 [security] ### 📊 Changes **2 files changed** (+55 additions, -55 deletions) <details> <summary>View changed files</summary> 📝 `frontend/package.json` (+1 -1) 📝 `frontend/pnpm-lock.yaml` (+54 -54) </details> ### 📄 Description This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.2.3` -> `6.2.4`](https://renovatebot.com/diffs/npm/vite/6.2.3/6.2.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.2.3/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.2.3/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-31125](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details - base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`) - content of non-allowed files is exposed using `?raw?import` `/@&#8203;fs/` isn't needed to reproduce the issue for files inside the project root. ### PoC Original report (check details above for simplified cases): The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice ``` $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev ``` Example full URL `http://localhost:5173/@&#8203;fs/C:/windows/win.ini?import&?inline=1.wasm?init` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.2.4`](https://redirect.github.com/vitejs/vite/releases/tag/v6.2.4) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.2.3...v6.2.4) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.2.4/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/go-vikunja/vikunja). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-01 21:03:53 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/vikunja#772