svelte-tiny-virtual-list
svelte-tiny-virtual-list copied to clipboard
jonasgeiler
chore(deps): update dependency vite to v5.4.12 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| vite (source) | 5.1.8 -> 5.4.12 |
GitHub Vulnerability Alerts
CVE-2025-24010
Summary
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
[!WARNING] This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.
Upgrade Path
Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.
- Using the backend integration feature
- Using a reverse proxy in front of Vite
- Accessing the development server via a domain other than
localhostor*.localhost - Using a plugin / framework that connects to the WebSocket server on their own from the browser
Using the backend integration feature
If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.
Using a reverse proxy in front of Vite
If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.
Accessing the development server via a domain other than localhost or *.localhost
You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.
Using a plugin / framework that connects to the WebSocket server on their own from the browser
If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.
In that case, you can either:
- fix the plugin / framework code to the make it compatible with the new version of Vite
- set
legacy.skipWebSocketTokenCheck: trueto opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite- When enabling this option, make sure that you are aware of the security implications described in the impact section of [2] above.
Mitigation without upgrading Vite
[1]: Permissive default CORS settings
Set server.cors to false or limit server.cors.origin to trusted origins.
[2]: Lack of validation on the Origin header for WebSocket connections
There aren't any mitigations for this.
[3]: Lack of validation on the Host header for HTTP requests
Use Chrome 94+ or use HTTPS for the development server.
Details
There are three causes that allowed malicious websites to send any requests to the development server:
[1]: Permissive default CORS settings
Vite sets the Access-Control-Allow-Origin header depending on server.cors option. The default value was true which sets Access-Control-Allow-Origin: *. This allows websites on any origin to fetch contents served on the development server.
Attack scenario:
- The attacker serves a malicious web page (
http://malicious.example.com). - The user accesses the malicious web page.
- The attacker sends a
fetch('http://127.0.0.1:5173/main.js')request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above. - The attacker gets the content of
http://127.0.0.1:5173/main.js.
[2]: Lack of validation on the Origin header for WebSocket connections
Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server did not perform validation on the Origin header and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection (list of the file paths that changed, the file content where the errored happened, etc.), but plugins can send arbitrary messages and may include more sensitive information.
Attack scenario:
- The attacker serves a malicious web page (
http://malicious.example.com). - The user accesses the malicious web page.
- The attacker runs
new WebSocket('http://127.0.0.1:5173', 'vite-hmr')by JS in that malicious web page. - The user edits some files.
- Vite sends some HMR messages over WebSocket.
- The attacker gets the content of the HMR messages.
[3]: Lack of validation on the Host header for HTTP requests
Unless server.https is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.
- The attacker serves a malicious web page that is served on HTTP (
http://malicious.example.com:5173) (HTTPS won't work). - The user accesses the malicious web page.
- The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
- The attacker sends a
fetch('/main.js')request by JS in that malicious web page. - The attacker gets the content of
http://127.0.0.1:5173/main.jsbypassing the same origin policy.
Impact
[1]: Permissive default CORS settings
Users with the default server.cors option may:
- get the source code stolen by malicious websites
- give the attacker access to functionalities that are not supposed to be exposed externally
- Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind
server.proxymay have those functionalities.
- Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind
[2]: Lack of validation on the Origin header for WebSocket connections
All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.
For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.
For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.
[3]: Lack of validation on the Host header for HTTP requests
Users using HTTP for the development server and using a browser that is not Chrome 94+ may:
- get the source code stolen by malicious websites
- give the attacker access to functionalities that are not supposed to be exposed externally
- Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind
server.proxymay have those functionalities.
- Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind
Chrome 94+ users are not affected for [3], because sending a request to a private network page from public non-HTTPS page is forbidden since Chrome 94.
Related Information
Safari has a bug that blocks requests to loopback addresses from HTTPS origins. This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.
PoC
[2]: Lack of validation on the Origin header for WebSocket connections
- I used the
reacttemplate which utilizes HMR functionality.
npm create vite@latest my-vue-app-react -- --template react
- Then on a malicious server, serve the following POC html:
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>vite CSWSH</title>
</head>
<body>
<div id="logs"></div>
<script>
const div = document.querySelectorAll('#logs')[0];
const ws = new WebSocket('ws://localhost:5173','vite-hmr');
ws.onmessage = event => {
const logLine = document.createElement('p');
logLine.innerHTML = event.data;
div.append(logLine);
};
</script>
</body>
</html>
- Kick off Vite
npm run dev
- Load the development server (open
http://localhost:5173/) as well as the malicious page in the browser. - Edit
src/App.jsxfile and intentionally place a syntax error - Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed
Here's a video demonstrating the POC:
https://github.com/user-attachments/assets/a4ad05cd-0b34-461c-9ff6-d7c8663d6961
Release Notes
vitejs/vite (vite)
v5.4.12
This version contains a breaking change due to security fixes. See https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 for more details.
Please refer to CHANGELOG.md for details.
v5.4.11
Please refer to CHANGELOG.md for details.
v5.4.10
Please refer to CHANGELOG.md for details.
v5.4.9
Please refer to CHANGELOG.md for details.
v5.4.8
Please refer to CHANGELOG.md for details.
v5.4.7
Please refer to CHANGELOG.md for details.
v5.4.6
Please refer to CHANGELOG.md for details.
v5.4.5
Please refer to CHANGELOG.md for details.
v5.4.4
Please refer to CHANGELOG.md for details.
v5.4.3
- fix: allow getting URL of JS files in publicDir (#β17915) (943ece1), closes #β17915
- fix: cjs warning respect the logLevel flag (#β17993) (dc3c14f), closes #β17993
- fix: improve CJS warning trace information (#β17926) (5c5f82c), closes #β17926
- fix: only remove entry assets handled by Vite core (#β17916) (ebfaa7e), closes #β17916
- fix: waitForRequestIdle locked (#β17982) (ad13760), closes #β17982
- fix(css): fix directory index import in sass modern api (#β17960) (9b001ba), closes #β17960
- fix(css): fix sass
file://reference (#β17909) (561b940), closes #β17909 - fix(css): fix sass modern source map (#β17938) (d428e7e), closes #β17938
- fix(deps): bump tsconfck (#β17990) (8c661b2), closes #β17990
- fix(html): rewrite assets url in (#β17988) (413c86a), closes #β17988
- fix(preload): add crossorigin attribute in CSS link tags (#β17930) (15871c7), closes #β17930
- chore: reduce diffs with v6 branch (#β17942) (bf9065a), closes #β17942
- chore(deps): update all non-major dependencies (#β17945) (cfb621e), closes #β17945
- chore(deps): update all non-major dependencies (#β17991) (0ca53cf), closes #β17991
v5.4.2
- chore: remove stale TODOs (#β17866) (e012f29), closes #β17866
- refactor: remove redundant prepend/strip base (#β17887) (3b8f03d), closes #β17887
- fix: resolve relative URL generated by
renderBuiltUrlpassed to module preload (#β16084) (fac3a8e), closes #β16084 - feat: support originalFilename (#β17867) (7d8c0e2), closes #β17867
v5.4.1
- fix:
build.modulePreload.resolveDependenciesis optimizable (#β16083) (e961b31), closes #β16083 - fix: align CorsOptions.origin type with @βtypes/cors (#β17836) (1bda847), closes #β17836
- fix: typings for vite:preloadError (#β17868) (6700594), closes #β17868
- fix(build): avoid re-define
__vite_import_meta_env__(#β17876) (e686d74), closes #β17876 - fix(deps): update all non-major dependencies (#β17869) (d11711c), closes #β17869
- fix(lightningcss): search for assets with correct base path (#β17856) (4e5ce3c), closes #β17856
- fix(worker): handle self reference url worker in dependency for build (#β17846) (391bb49), closes #β17846
- chore: fix picocolors import for local dev (#β17884) (9018255), closes #β17884
- refactor: remove
handleHotUpdatefrom watch-package-data plugin (#β17865) (e16bf1f), closes #β17865
v5.4.0
- fix(build): windows platform build output path error (#β17818) (6ae0615), closes #β17818
- fix(deps): update launch-editor to consume fix for windows paths (#β17828) (cf2f90d), closes #β17828
- fix(ssr): fix
globalvariable name conflict (#β17809) (6aa2206), closes #β17809 - fix(worker): fix
importScriptsinjection breaking iife code (#β17827) (bb4ba9f), closes #β17827 - chore: bump typescript-eslint to v8 (#β17624) (d1891fd), closes #β17624
- chore(deps): update all non-major dependencies (#β17820) (bb2f8bb), closes #β17820
- perf(ssr): do a single-pass over AST with node cache arrays (#β17812) (81327eb), closes #β17812
v5.3.6
Please refer to CHANGELOG.md for details.
v5.3.5
- refactor(asset): remove rollup 3 public file watch workaround (#β16331) (66bdb1d), closes #β16331
- fix: make
servertype less restrictive (fix #β17627) (#β17628) (b55c32f), closes #β17627 #β17628 - fix: show error if vite client cannot be loaded (#β17419) (db5ab1d), closes #β17419
- fix(build): env output is not stable (#β17748) (b240a83), closes #β17748
- fix(client): fix vite error path (#β17744) (3c1bde3), closes #β17744
- fix(css): resolve url aliases with fragments (fix: #β17690) (#β17691) (d906d3f)
- fix(deps): update all non-major dependencies (#β17629) (93281b0), closes #β17629
- fix(importMetaGlob): handle alias that starts with hash (#β17743) (b58b423), closes #β17743
- fix(ssrTransform): sourcemaps with multiple sources (#β17677) (f321fa8), closes #β17677
- chore: extend commit hash (#β17709) (4fc9b64), closes #β17709
- chore(deps): update all non-major dependencies (#β17734) (9983731), closes #β17734
- chore(deps): update typescript (#β17699) (df5ceb3), closes #β17699
- revert: fix(logger): truncate log over 5000 characters long (#β16581) (#β17729) (f4f488f), closes #β16581 #β17729
v5.3.4
- fix: update Terser type definitions (fix #β17668) (#β17669) (b723a75), closes #β17668 #β17669
- fix(build): skip preload treeshaking for nested braces (#β17687) (4be96b4), closes #β17687
- fix(css): include
.css?urlin assets field of manifest (#β17623) (1465b20), closes #β17623 - fix(worker): nested inlined worker always fallbacked to data URI worker instead of using blob worker (07bc489), closes #β17509
- refactor: replace includes with logical operations (#β17620) (c4a2227), closes #β17620
- chore: add callback to http-proxy.d.ts jsdoc (#β17646) (d8a5d70), closes #β17646
v5.3.3
- fix: lazily evaluate __vite__mapDeps files (#β17602) (dafff4a), closes #β17602
- fix(deps): update all non-major dependencies (#β17590) (012490c), closes #β17590
- fix(lib): remove pure CSS dynamic import (#β17601) (055f1c1), closes #β17601
- fix(proxy): replace changeOrigin changes in 5.3.0 with new rewriteWsOrigin option (#β17563) (14c3d49), closes #β17563
v5.3.2
- fix(client): uniform variable
location(#β17528) (a8e2f6f), closes #β17528 - fix(deps): update all non-major dependencies (#β17494) (bf123f2), closes #β17494
- fix(typescript): correctly expand ${configDir} in tsconfig.json (#β17576) (24c799b), closes #β17576
- chore: fix some comments (#β17495) (ec16a5e), closes #β17495
- chore(deps): update all non-major dependencies (#β17553) (a33a97f), closes #β17553
- chore(deps): update dependency eslint to v9 (#β16661) (6c10662), closes #β16661
- chore(deps): update es-module-lexer to 1.5.4 (#β17555) (2d6672f), closes #β17555
- refactor(optimizer): use early continues (#β17551) (7c06ef0), closes #β17551
v5.3.1
- fix(build): handle preload treeshaking for braces (#β17479) (d355568), closes #β17479
- fix(build): handle preload treeshaking for commas (#β17472) (3e27071), closes #β17472
- fix(build): preload treeshaking ignore equal (#β17480) (6ced135), closes #β17480
- chore: consolidate changelog for 5.3 (#β17476) (1f09344), closes #β17476
v5.3.0
- fix: typo in client log (#β17363) (68aa9f8), closes #β17363
- fix(ssrTransform): handle arbitrary module namespace identifiers (#β17446) (0a76652), closes #β17446
- test: disable isolate for unit test (#β17448) (f16fae5), closes #β17448
- feat: asset type add bmp (#β17439) (ec287f8), closes #β17439
v5.2.14
Please refer to CHANGELOG.md for details.
v5.2.13
Please refer to CHANGELOG.md for details.
v5.2.12
- chore: move to eslint flat config (#β16743) (8f16765), closes #β16743
- chore(deps): remove unused deps (#β17329) (5a45745), closes #β17329
- chore(deps): update all non-major dependencies (#β16722) (b45922a), closes #β16722
- fix: mention
build.rollupOptions.output.manualChunksinstead ofbuild.rollupOutput.manualChunks(89378c0), closes #β16721 - fix(build): make SystemJSWrapRE match lazy (#β16633) (6583ad2), closes #β16633
- fix(css): avoid generating empty JS files when JS files becomes empty but has CSS files imported (#β1 (95fe5a7), closes #β16078
- fix(css): handle lightningcss compiled css in Deno (#β17301) (8e4e932), closes #β17301
- fix(css): only use files the current bundle contains (#β16684) (15a6ebb), closes #β16684
- fix(css): page reload was not happening with .css?raw (#β16455) (8041846), closes #β16455
- fix(deps): update all non-major dependencies (#β16603) (6711553), closes #β16603
- fix(deps): update all non-major dependencies (#β16660) (bf2f014), closes #β16660
- fix(deps): update all non-major dependencies (#β17321) (4a89766), closes #β17321
- fix(error-logging): rollup errors weren't displaying id and codeframe (#β16540) (22dc196), closes #β16540
- fix(hmr): normalize the path info (#β14255) (6a085d0), closes #β14255
- fix(hmr): trigger page reload when calling invalidate on root module (#β16636) (2b61cc3), closes #β16636
- fix(logger): truncate log over 5000 characters long (#β16581) (b0b839a), closes #β16581
- fix(optimizer): log dependencies added by plugins (#β16729) (f0fb987), closes #β16729
- fix(sourcemap): improve sourcemap compatibility for vue2 (#β16594) (913c040), closes #β16594
- docs: correct proxy shorthand example (#β15938) (abf766e), closes #β15938
- docs: deprecate server.hot (#β16741) (e7d38ab), closes #β16741
v5.2.11
- feat: improve dynamic import variable failure error message (#β16519) (f8feeea), closes #β16519
- fix: dynamic-import-vars plugin normalize path issue (#β16518) (f71ba5b), closes #β16518
- fix: scripts and styles were missing from built HTML on Windows (#β16421) (0e93f58), closes #β16421
- fix(deps): update all non-major dependencies (#β16488) (2d50be2), closes #β16488
- fix(deps): update all non-major dependencies (#β16549) (2d6a13b), closes #β16549
- fix(dev): watch publicDir explicitly to include it outside the root (#β16502) (4d83eb5), closes #β16502
- fix(preload): skip preload for non-static urls (#β16556) (bb79c9b), closes #β16556
- fix(ssr): handle class declaration and expression name scoping (#β16569) (c071eb3), closes #β16569
- fix(ssr): handle function expression name scoping (#β16563) (02db947), closes #β16563
v5.2.10
- revert: perf: use workspace root for fs cache (#β15712) (#β16476) (77e7359), closes #β15712 #β16476
- fix: add base to virtual html (#β16442) (721f94d), closes #β16442
- fix: adjust esm syntax judgment logic (#β16436) (af72eab), closes #β16436
- fix: don't add outDirs to watch.ignored if emptyOutDir is false (#β16453) (6a127d6), closes #β16453
- fix(cspNonce): don't overwrite existing nonce values (#β16415) (b872635), closes #β16415
- feat: show warning if root is in build.outDir (#β16454) (11444dc), closes #β16454
- feat: write cspNonce to style tags (#β16419) (8e54bbd), closes #β16419
- chore(deps): update dependency eslint-plugin-n to v17 (#β16381) (6cccef7), closes #β16381
v5.2.9
- fix:
fsp.rmremoving files does not take effect (#β16032) (b05c405), closes #β16032 - fix: fix accumulated stacks in error overlay (#β16393) (102c2fd), closes #β16393
- fix(deps): update all non-major dependencies (#β16376) (58a2938), closes #β16376
- chore: update region comment (#β16380) (77562c3), closes #β16380
- perf: reduce size of injected __vite__mapDeps code (#β16184) (c0ec6be), closes #β16184
- perf(css): only replace empty chunk if imported (#β16349) (e2658ad), closes #β16349
v5.2.8
- fix: csp nonce injection when no closing tag (#β16281) (#β16282) (3c85c6b), closes #β16281 #β16282
- fix: do not access document in
/@​vite/clientwhen not defined (#β16318) (646319c), closes #β16318 - fix: fix sourcemap when using object as
definevalue (#β15805) (445c4f2), closes #β15805 - fix(css): unknown file error happened with lightningcss (#β16306) (01af308), closes #β16306
- fix(hmr): multiple updates happened when invalidate is called while multiple tabs open (#β16307) (21cc10b), closes #β16307
- fix(scanner): duplicate modules for same id if glob is used in html-like types (#β16305) (eca68fa), closes #β16305
- chore(deps): update all non-major dependencies (#β16325) (a78e265), closes #β16325
- refactor: use types from sass instead of @βtypes/sass (#β16340) (4581e83), closes #β16340
v5.2.7
- chore: deprecate splitVendorChunkPlugin (#β16274) (45a06da), closes #β16274
- fix: skip injecting
__vite__mapDepswhen it's not used (#β16271) (890538a), closes #β16271 - fix(deps): update all non-major dependencies (#β16258) (7caef42), closes #β16258
- fix(hmr): don't mutate module graph when collecting modules (#β16302) (dfffea1), closes #β16302
- fix(hmr): trigger hmr for missing file import errored module after file creation (#β16303) (ffedc06), closes #β16303
- fix(sourcemap): don't warn even if the sourcesContent is an empty string (#β16273) (24e376a), closes #β16273
- feat(hmr): reload when HTML file is created/deleted (#β16288) (1f53796), closes #β16288
v5.2.6
v5.2.5
- fix: avoid SSR requests in waitForRequestIdle (#β16246) (7093f77), closes #β16246
- docs: clarify enforce vs hook.order (#β16226) (3a73e48), closes #β16226
v5.2.4
v5.2.3
- fix: handle warmup request error correctly (#β16223) (d7c5256), closes #β16223
- fix: skip encode if is data uri (#β16233) (8617e76), closes #β16233
- fix(optimizer): fix
optimizeDeps.includeglob syntax for./*exports (#β16230) (f184c80), closes #β16230 - fix(runtime): fix sourcemap with
prepareStackTrace(#β16220) (dad7f4f), closes #β16220 - chore:
utf8replaced withutf-8(#β16232) (9800c73), closes #β16232
v5.2.2
- fix(importAnalysis): skip encode in ssr (#β16213) ([e4d2d60](https://redirect.github.com/vitejs/vite/
Configuration
π Schedule: Branch creation - "" in timezone Europe/Vienna, Automerge - "* 0-3 * * *" in timezone Europe/Vienna.
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploying svelte-tiny-virtual-list with Β 
Β Cloudflare Pages
| Latest commit: |
4e5c5da
|
| Status: | Β β Β Deploy successful! |
| Preview URL: | https://533c3f22.svelte-tiny-virtual-list.pages.dev |
| Branch Preview URL: | https://renovate-npm-vite-vulnerabil.svelte-tiny-virtual-list.pages.dev |
![cloudflare-workers-and-pages[bot] avatar](https://avatars.githubusercontent.com/in/85455?v=4 "Published by a pub.dev verified publisher"){kind=small}