scaleway-lib
scaleway-lib copied to clipboard
scaleway
chore(deps): update dependency vite to v6.2.5 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| vite (source) | 6.2.2 -> 6.2.5 |
GitHub Vulnerability Alerts
CVE-2025-31486
Summary
The contents of arbitrary files can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..
Details
.svg
Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.
This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.
relative paths
The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).
PoC
npm create vite@latest
cd vite-project/
npm install
npm run dev
send request to read etc/passwd
curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'
Release Notes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}