Skip to content

Vite has an server.fs.deny bypass with an invalid request-target #30095

Closed
Bug
#30099
Closed
Vite has an server.fs.deny bypass with an invalid request-target#30095
Bug
#30099
Assignees
alan-agius4
Labels
area: @angular/buildfreq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix
@ph360

Description

@ph360
ph360
opened on Apr 12, 2025

Which @angular/* package(s) are the source of the bug?

upgrade

Is this a regression?

No

Description

moderate severity vulnerabilities

vite

Affected versions

= 6.2.0, < 6.2.6

Patched versions
6.2.6

In package-lock.json show me "vite": "6.2.5"

Note:
vite the dependencies of node_modules/@angular/build
"version": "19.2.7"

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

C:\pr360-portal-v3\pr360>npm audit
# npm audit report

vite  6.2.0 - 6.2.5
Severity: moderate
Vite has an `server.fs.deny` bypass with an invalid `request-target` - https://github.com/advisories/GHSA-356w-63v5-8wf4
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@19.2.0, which is a breaking change
node_modules/@angular/build/node_modules/vite
  @angular/build  >=19.2.1
  Depends on vulnerable versions of vite
  node_modules/@angular/build
    @angular-devkit/build-angular  >=19.2.1
    Depends on vulnerable versions of @angular/build
    node_modules/@angular-devkit/build-angular

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Please provide the environment you discovered this bug in (run ng version)

Angular CLI: 19.2.7
Node: 22.14.0
Package Manager: npm 11.2.0
OS: win32 x64

Angular: 19.2.6
... common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, platform-server
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.7
@angular-devkit/build-angular   19.2.7
@angular-devkit/core            19.2.7
@angular-devkit/schematics      19.2.7
@angular/cli                    19.2.7
@angular/ssr                    19.2.7
@schematics/angular             19.2.7
rxjs                            7.8.2
typescript                      5.7.3
zone.js                         0.15.0

Anything else?

it happens when create one new project angular 19.

Metadata

Metadata

Assignees

Labels

area: @angular/buildfreq1: lowOnly reported by a handful of users who observe it rarelyseverity6: securitytype: bug/fix

Type

Bug

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions