Version Details and Security Vulnerabilities

📦

vite

6.3.7

Comparision Betweeen 6.3.7 and 6.3.6

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

2.53 MB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

vite

6.3.7

Comparision Betweeen 6.3.7 and 6.3.6

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

2.53 MB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 6.3.7 of the package vite.

All Security Vulnerabilities

All the vulnerabilities related to the version 6.3.7 of the package

Summary:

vite allows server.fs.deny bypass via backslash on Windows

Details:

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

Details about vite@6.3.7

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 6.3.7 of the package vite.

All Security Vulnerabilities

All the vulnerabilities related to the version 6.3.7 of the package

Summary:

vite allows server.fs.deny bypass via backslash on Windows

Details:

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
running the dev server on Windows

Details

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

Details about vite@6.3.7

Version Details and Security Vulnerabilities

vite

Comparision Betweeen 6.3.7 and 6.3.6

Security Vulnerabilities

Version Details and Security Vulnerabilities

vite

Comparision Betweeen 6.3.7 and 6.3.6

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Impact

Details

PoC

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Impact

Details

PoC

Version Details and Security Vulnerabilities

vite

Comparision Betweeen 6.3.7 and 6.3.6

Security Vulnerabilities

Version Details and Security Vulnerabilities

vite

Comparision Betweeen 6.3.7 and 6.3.6

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

vite@6.3.7 GHSA-93m4-6634-74q7 6

Summary

Impact

Details

PoC

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

vite@6.3.7 GHSA-93m4-6634-74q7 6

Summary

Impact

Details

PoC