vite 2.6.7 vulnerabilities

Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Origin Validation Error vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Origin Validation Error due to default CORS settings and lack of validation on the `Origin` header for WebSocket connections, making any websites able to send any requests to the development server and read the response. An attacker can intercept and manipulate requests by sending crafted WebSocket requests from unauthorized origins. Note: Additionally to upgrading to a fixed version, the following configurations need to be made to fix the vulnerability: If the backend integration feature is used and `server.origin` is not set, the origin of the backend server needs to be added to the `server.cors.origin` option. Make sure to set a specific origin rather than ``, otherwise any origin can access your development server; If a reverse proxy is used in front of Vite and requests are sent to Vite with a hostname other than `localhost` or `.localhost`, the hostname needs to be added to the new `server.allowedHosts` option. For example, if the reverse proxy is sending requests to `http://vite:5173`, `vite` needs to be added to the `server.allowedHosts` option; If the development server is accessed via a domain other than `localhost` or `*.localhost` the hostname needs to be added to the new `server.allowedHosts` option. For example, if you are accessing the development server via `http://foo.example.com:8080`, you need to add `foo.example.com` to the `server.allowedHosts` option; If a plugin / framework is used that connects to the WebSocket server on their own from the browser and the WebSocket connection appears not to be working after upgrading to a fixed version, it is recommended to either fix the plugin / framework code to the make it compatible with the new version or to set `legacy.skipWebSocketTokenCheck: true` to opt-out the fix for "Lack of validation on the Origin header for WebSocket connections" while the plugin / framework is incompatible with the new version of Vite. When enabling this option, make sure that you are aware of the security implications of this vulnerability. How to fix Origin Validation Error? Upgrade `vite` to version 4.5.6, 5.4.12, 6.0.9 or higher.	<4.5.6>=5.0.0 <5.4.12>=6.0.0 <6.0.9
M Information Exposure vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Information Exposure when using `?import&raw` in the URL parameters. An attacker can access file contents that should be restricted by exploiting this bypass mechanism. How to fix Information Exposure? Upgrade `vite` to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.	<3.2.11>=4.0.0 <4.5.5>=5.0.0 <5.2.14>=5.3.0 <5.3.6>=5.4.0 <5.4.6
L Cross-site Scripting (XSS) vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `document.currentScript` lookup mechanism when building scripts to `cjs`/`iife`/`umd` output format. This vulnerability is exploitable on websites that allow users to inject certain scriptless HTML tags without properly sanitizing the `name` or `id` attributes. How to fix Cross-site Scripting (XSS)? Upgrade `vite` to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.	<3.2.11>=4.0.0 <4.5.5>=5.0.0 <5.2.14>=5.3.0 <5.3.6>=5.4.0 <5.4.6
H Path Equivalence vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Path Equivalence such that Server Options (`server.fs.deny`) can be bypassed using double forward-slash (`//`) allowing any unauthenticated user to read files from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.', '.{crt,pem}']`). Note: Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. How to fix Path Equivalence? Upgrade `vite` to version 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, 4.3.9 or higher.	<2.9.16>=3.0.0 <3.2.7>=4.0.0 <4.0.5>=4.1.0 <4.1.5>=4.2.0 <4.2.3>=4.3.0 <4.3.9
H Directory Traversal vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal. It allows attackers to perform a directory traversal via a crafted URL to the victim's service. How to fix Directory Traversal? Upgrade `vite` to version 2.9.13 or higher.	<2.9.13

Vulnerability

Vulnerable Version

Origin Validation Error

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Origin Validation Error due to default CORS settings and lack of validation on the Origin header for WebSocket connections, making any websites able to send any requests to the development server and read the response. An attacker can intercept and manipulate requests by sending crafted WebSocket requests from unauthorized origins.

Note:

Additionally to upgrading to a fixed version, the following configurations need to be made to fix the vulnerability:

If the backend integration feature is used and server.origin is not set, the origin of the backend server needs to be added to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server;
If a reverse proxy is used in front of Vite and requests are sent to Vite with a hostname other than localhost or *.localhost, the hostname needs to be added to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, vite needs to be added to the server.allowedHosts option;
If the development server is accessed via a domain other than localhost or *.localhost the hostname needs to be added to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option;
If a plugin / framework is used that connects to the WebSocket server on their own from the browser and the WebSocket connection appears not to be working after upgrading to a fixed version, it is recommended to either fix the plugin / framework code to the make it compatible with the new version or to set legacy.skipWebSocketTokenCheck: true to opt-out the fix for "Lack of validation on the Origin header for WebSocket connections" while the plugin / framework is incompatible with the new version of Vite. When enabling this option, make sure that you are aware of the security implications of this vulnerability.

How to fix Origin Validation Error?

Upgrade vite to version 4.5.6, 5.4.12, 6.0.9 or higher.

<4.5.6>=5.0.0 <5.4.12>=6.0.0 <6.0.9

Information Exposure

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Information Exposure when using ?import&raw in the URL parameters. An attacker can access file contents that should be restricted by exploiting this bypass mechanism.

How to fix Information Exposure?

Upgrade vite to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.

<3.2.11>=4.0.0 <4.5.5>=5.0.0 <5.2.14>=5.3.0 <5.3.6>=5.4.0 <5.4.6

Cross-site Scripting (XSS)

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the document.currentScript lookup mechanism when building scripts to cjs/iife/umd output format. This vulnerability is exploitable on websites that allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

How to fix Cross-site Scripting (XSS)?

Upgrade vite to version 3.2.11, 4.5.5, 5.2.14, 5.3.6, 5.4.6 or higher.

<3.2.11>=4.0.0 <4.5.5>=5.0.0 <5.2.14>=5.3.0 <5.3.6>=5.4.0 <5.4.6

Path Equivalence

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Path Equivalence such that Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allowing any unauthenticated user to read files from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}']).

Note:

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

How to fix Path Equivalence?

Upgrade vite to version 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, 4.3.9 or higher.

<2.9.16>=3.0.0 <3.2.7>=4.0.0 <4.0.5>=4.1.0 <4.1.5>=4.2.0 <4.2.3>=4.3.0 <4.3.9

Directory Traversal

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Directory Traversal. It allows attackers to perform a directory traversal via a crafted URL to the victim's service.

How to fix Directory Traversal?

Upgrade vite to version 2.9.13 or higher.

<2.9.13

vite@2.6.7 vulnerabilities

Native-ESM powered web dev build tool

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?