dnlkoch
commented
1 year ago :tada: This PR is included in version 5.2.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Closed renovate[bot] closed 1 year ago
dnlkoch
commented
1 year ago :tada: This PR is included in version 5.2.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
This PR contains the following updates:
4.3.8->4.3.9GitHub Vulnerability Alerts
CVE-2023-34092
Summary
Vite Server Options (
server.fs.deny) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the defaultfs.denysettings (['.env', '.env.*', '*.{crt,pem}'])Impact
Only users explicitly exposing the Vite dev server to the network (using
--hostorserver.hostconfig option) are affected, and only files in the immediate Vite project root folder could be exposed.Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16
Details
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
PoC
//) (e.g://.env,//.env.local)fs.denyrestrict successfully bypassed.Proof Images:
Release Notes
vitejs/vite (vite)
### [`v4.3.9`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small439-2023-05-26-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v4.3.8...v4.3.9) - fix: fs.deny with leading double slash ([#13348](https://togithub.com/vitejs/vite/issues/13348)) ([813ddd6](https://togithub.com/vitejs/vite/commit/813ddd6)), closes [#13348](https://togithub.com/vitejs/vite/issues/13348) - fix: optimizeDeps during build and external ids ([#13274](https://togithub.com/vitejs/vite/issues/13274)) ([e3db771](https://togithub.com/vitejs/vite/commit/e3db771)), closes [#13274](https://togithub.com/vitejs/vite/issues/13274) - fix(css): return deps if have no postcss plugins ([#13344](https://togithub.com/vitejs/vite/issues/13344)) ([28923fb](https://togithub.com/vitejs/vite/commit/28923fb)), closes [#13344](https://togithub.com/vitejs/vite/issues/13344) - fix(legacy): style insert order ([#13266](https://togithub.com/vitejs/vite/issues/13266)) ([e444375](https://togithub.com/vitejs/vite/commit/e444375)), closes [#13266](https://togithub.com/vitejs/vite/issues/13266) - chore: revert prev release commit ([2a30a07](https://togithub.com/vitejs/vite/commit/2a30a07)) - release: v4.3.9 ([5c9abf7](https://togithub.com/vitejs/vite/commit/5c9abf7)) - docs: optimizeDeps.needsInterop ([#13323](https://togithub.com/vitejs/vite/issues/13323)) ([b34e79c](https://togithub.com/vitejs/vite/commit/b34e79c)), closes [#13323](https://togithub.com/vitejs/vite/issues/13323) - test: respect commonjs options in playgrounds ([#13273](https://togithub.com/vitejs/vite/issues/13273)) ([19e8c68](https://togithub.com/vitejs/vite/commit/19e8c68)), closes [#13273](https://togithub.com/vitejs/vite/issues/13273) - refactor: simplify SSR options' if statement ([#13254](https://togithub.com/vitejs/vite/issues/13254)) ([8013a66](https://togithub.com/vitejs/vite/commit/8013a66)), closes [#13254](https://togithub.com/vitejs/vite/issues/13254) - perf(ssr): calculate stacktrace offset lazily ([#13256](https://togithub.com/vitejs/vite/issues/13256)) ([906c4c1](https://togithub.com/vitejs/vite/commit/906c4c1)), closes [#13256](https://togithub.com/vitejs/vite/issues/13256)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.