vite@4.4.5 vulnerabilities

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through server.fs.deny configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests.

Note:

Only apps setting a custom server.fs.deny that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Upgrade vite to version 2.9.18, 3.2.10, 4.5.3, 5.0.13, 5.1.7, 5.2.6 or higher.

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Access Control Bypass via the server.fs.deny option. An attacker can gain access to sensitive files by requesting raw filesystem paths using case-augmented versions of filenames. This is only exploitable if the server is hosted on a case-insensitive filesystem, including those used by Windows.

Upgrade vite to version 2.9.17, 3.2.8, 4.5.2, 5.0.12 or higher.

vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) when the HTML transformation function is invoked manually through server.transformIndexHtml. The original request URL is passed in unmodified. If the html being transformed contains inline module scripts, it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

This is exploitable by convincing a user running a dev server with appType: 'custom' set and the default HTML middleware, to follow a malicious link. Additionally, restricted files aren't exposed to the attacker.

Upgrade vite to version 4.4.12, 4.5.1, 5.0.5 or higher.