Commit 613638a
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency vite to v6.4.2 [security] (#7303)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`6.4.1` →
`6.4.2`](https://renovatebot.com/diffs/npm/vite/6.4.1/6.4.2) |
|
|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`^5.4.0` →
`^6.0.0`](https://renovatebot.com/diffs/npm/vite/5.4.21/6.4.2) |
|
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/357) for more information.
### GitHub Vulnerability Alerts
####
[CVE-2026-39363](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583)
### Summary
[`server.fs`](https://vite.dev/config/server-options#server-fs-strict)
check was not enforced to the `fetchModule` method that is exposed in
Vite dev server's WebSocket.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using `--host`
or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- WebSocket is not disabled by `server.ws: false`
Arbitrary files on the server (development machine, CI environment,
container, etc.) can be exposed.
### Details
If it is possible to connect to the Vite dev server’s WebSocket
**without an `Origin` header**, an attacker can invoke `fetchModule` via
the custom WebSocket event `vite:invoke` and combine `file://...` with
`?raw` (or `?inline`) to retrieve the contents of arbitrary files on the
server as a JavaScript string (e.g., `export default "..."`).
The access control enforced in the HTTP request path (such as
`server.fs.allow`) is not applied to this WebSocket-based execution
path.
### PoC
1. Start the dev server on the target
Example (used during validation with this repository):
```bash
pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173
```
2. Confirm that access is blocked via the HTTP path (example: arbitrary
file)
```bash
curl -i 'http://localhost:5173/@​fs/etc/passwd?raw'
```
Result: `403 Restricted` (outside the allow list)
<img width="3898" height="1014" alt="image"
src="https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af"
/>
3. Confirm that the same file can be retrieved via the WebSocket path
By connecting to the HMR WebSocket without an `Origin` header and
sending a `vite:invoke` request that calls `fetchModule` with a
`file://...` URL and `?raw`, the file contents are returned as a
JavaScript module.
<img width="1049" height="296" alt="image"
src="https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972"
/>
<img width="1382" height="955" alt="image"
src="https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7"
/>
####
[GHSA-4w7w-66w2-5vf9](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9)
### Summary
Any files ending with `.map` even out side the project can be returned
to the browser.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using `--host`
or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- have a sensitive content in files ending with `.map` and the path is
predictable
### Details
In Vite v7.3.1, the dev server’s handling of `.map` requests for
optimized dependencies resolves file paths and calls `readFile` without
restricting `../` segments in the URL. As a result, it is possible to
bypass the
[`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict)
allow list and retrieve `.map` files located outside the project root,
provided they can be parsed as valid source map JSON.
### PoC
1. Create a minimal PoC sourcemap outside the project root
```bash
cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF
```
2. Start the Vite dev server (example)
```bash
pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
```
3. Confirm that direct `/@​fs` access is blocked by `strict`
(returns 403)
<img width="4004" height="1038" alt="image"
src="https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab"
/>
4. Inject `../` segments under the optimized deps `.map` URL prefix to
reach `/tmp/poc.map`
<img width="2790" height="846" alt="image"
src="https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2"
/>
---
### Release Notes
<details>
<summary>vitejs/vite (vite)</summary>
###
[`v6.4.2`](https://redirect.github.com/vitejs/vite/releases/tag/v6.4.2)
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v6.4.1...v6.4.2)
Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md)
for details.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/vortex-data/vortex).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJkZXZlbG9wIiwibGFiZWxzIjpbImNoYW5nZWxvZy9jaG9yZSJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 8584d27 commit 613638a
3 files changed
Lines changed: 325 additions & 150 deletions
0 commit comments