vite@6.0.6 vulnerabilities

Native-ESM powered web dev build tool

  • latest version

    6.0.11

  • latest non vulnerable version

  • first published

    4 years ago

  • latest version published

    18 hours ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the vite package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Origin Validation Error

    vite is a Native-ESM powered web dev build tool

    Affected versions of this package are vulnerable to Origin Validation Error due to default CORS settings and lack of validation on the Origin header for WebSocket connections, making any websites able to send any requests to the development server and read the response. An attacker can intercept and manipulate requests by sending crafted WebSocket requests from unauthorized origins.

    Note:

    Additionally to upgrading to a fixed version, the following configurations need to be made to fix the vulnerability:

    1. If the backend integration feature is used and server.origin is not set, the origin of the backend server needs to be added to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server;

    2. If a reverse proxy is used in front of Vite and requests are sent to Vite with a hostname other than localhost or *.localhost, the hostname needs to be added to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, vite needs to be added to the server.allowedHosts option;

    3. If the development server is accessed via a domain other than localhost or *.localhost the hostname needs to be added to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option;

    4. If a plugin / framework is used that connects to the WebSocket server on their own from the browser and the WebSocket connection appears not to be working after upgrading to a fixed version, it is recommended to either fix the plugin / framework code to the make it compatible with the new version or to set legacy.skipWebSocketTokenCheck: true to opt-out the fix for "Lack of validation on the Origin header for WebSocket connections" while the plugin / framework is incompatible with the new version of Vite. When enabling this option, make sure that you are aware of the security implications of this vulnerability.

    How to fix Origin Validation Error?

    Upgrade vite to version 4.5.6, 5.4.12, 6.0.9 or higher.

    <4.5.6>=5.0.0 <5.4.12>=6.0.0 <6.0.9