*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (``), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
Path to dependency file: /noise-suppression/denoize-file/package.json
Path to vulnerable library: /noise-suppression/denoize-file/package.json
Found in HEAD commit: ad1785c8f52945604846f3d75e0bbfd9d9342953
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-23331
### Vulnerable Library - vite-4.5.0.tgzLibrary home page: https://registry.npmjs.org/vite/-/vite-4.5.0.tgz
Path to dependency file: /noise-suppression/denoize-file/package.json
Path to vulnerable library: /noise-suppression/denoize-file/package.json
Dependency Hierarchy: - @vonage/noise-suppression-1.0.0.tgz (Root Library) - :x: **vite-4.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: ad1785c8f52945604846f3d75e0bbfd9d9342953
Found in base branch: main
### Vulnerability DetailsVite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
Publish Date: 2024-01-19
URL: CVE-2024-23331
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
Release Date: 2024-01-19
Fix Resolution: vite - 2.9.17,3.2.8,4.5.2,5.0.12
CVE-2023-49293
### Vulnerable Library - vite-4.5.0.tgzLibrary home page: https://registry.npmjs.org/vite/-/vite-4.5.0.tgz
Path to dependency file: /noise-suppression/denoize-file/package.json
Path to vulnerable library: /noise-suppression/denoize-file/package.json
Dependency Hierarchy: - @vonage/noise-suppression-1.0.0.tgz (Root Library) - :x: **vite-4.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: ad1785c8f52945604846f3d75e0bbfd9d9342953
Found in base branch: main
### Vulnerability DetailsVite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (``), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability.
Publish Date: 2023-12-04
URL: CVE-2023-49293
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/vitejs/vite/security/advisories/GHSA-92r3-m2mg-pj97
Release Date: 2023-12-04
Fix Resolution: vite - 4.4.12,4.5.1,5.0.5
CVE-2024-31207
### Vulnerable Library - vite-4.5.0.tgzLibrary home page: https://registry.npmjs.org/vite/-/vite-4.5.0.tgz
Path to dependency file: /noise-suppression/denoize-file/package.json
Path to vulnerable library: /noise-suppression/denoize-file/package.json
Dependency Hierarchy: - @vonage/noise-suppression-1.0.0.tgz (Root Library) - :x: **vite-4.5.0.tgz** (Vulnerable Library)
Found in HEAD commit: ad1785c8f52945604846f3d75e0bbfd9d9342953
Found in base branch: main
### Vulnerability DetailsVite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
Publish Date: 2024-04-04
URL: CVE-2024-31207
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g
Release Date: 2024-04-04
Fix Resolution: vite - 2.9.18,3.2.10,4.5.3,5.0.13,5.1.7,5.2.6