This PR contains the following updates:
GitHub Vulnerability Alerts
Summary
The contents of arbitrary files can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using--host orserver.host config option) are affected.
Details
- base64 encoded content of non-allowed files is exposed using
?inline&import (originally reported as?import&?inline=1.wasm?init) - content of non-allowed files is exposed using
?raw?import
/@​fs/ isn't needed to reproduce the issue for files inside the project root.
PoC
Original report (check details above for simplified cases):
The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice
$ npm create vite@latest$ cd vite-project/$ npm install$ npm run dev
Example full URLhttp://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init
Summary
The contents of arbitrary files can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host orserver.host config option) are affected.
Details
.svg
Requests ending with.svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding?.svg with?.wasm?init or withsec-fetch-dest: script header, the restriction was able to bypass.
This bypass is only possible if the file is smaller thanbuild.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.
relative paths
The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g.../../).
PoC
npm create vite@latestcd vite-project/npm installnpm run dev
send request to readetc/passwd
curl'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'
Summary
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
Impact
Only apps with the following conditions are affected.
- explicitly exposing the Vite dev server to the network (using --host orserver.host config option)
- running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)
Details
HTTP 1.1 spec (RFC 9112) does not allow# inrequest-target. Although an attacker can send such a request. For those requests with an invalidrequest-line (it includesrequest-target), the specrecommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1,ref2,ref3).
On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value ofhttp.IncomingMessage.url contains#. Vite assumedreq.url won't contain# when checkingserver.fs.deny, allowing those kinds of requests to bypass the check.
On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value ofhttp.IncomingMessage.url did not contain#.
PoC
npm create vite@latestcd vite-project/npm installnpm run dev
send request to read/etc/passwd
curl --request-target /@​fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173
Summary
The contents of files inthe projectroot that are denied by a file matching pattern can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host orserver.host config option) are affected.
Only files that are underprojectroot and are denied by a file matching pattern can be bypassed.
- Examples of file matching patterns:
.env,.env.*,*.{crt,pem},**/.env - Examples of other patterns:
**/.git/**,.git/**,.git/**/*
Details
server.fs.deny can contain patterns matching against files (by default it includes.env,.env.*,*.{crt,pem} as such patterns).
These patterns were able to bypass for files underroot by using a combination of slash and dot (/.).
PoC
npm create vite@latestcd vite-project/cat "secret" > .envnpm installnpm run devcurl --request-target /.env/. http://localhost:5173
Release Notes
vitejs/vite (vite)
Compare Source
Please refer toCHANGELOG.md for details.
Compare Source
Please refer toCHANGELOG.md for details.
Compare Source
Please refer toCHANGELOG.md for details.
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.
Uh oh!
There was an error while loading.Please reload this page.
This PR contains the following updates:
6.2.4->6.2.7GitHub Vulnerability Alerts
CVE-2025-31125
Summary
The contents of arbitrary files can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using
--hostorserver.hostconfig option) are affected.Details
?inline&import(originally reported as?import&?inline=1.wasm?init)?raw?import/@​fs/isn't needed to reproduce the issue for files inside the project root.PoC
Original report (check details above for simplified cases):
The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice
Example full URL
http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?initCVE-2025-31486
Summary
The contents of arbitrary files can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host orserver.host config option) are affected.
Details
.svgRequests ending with
.svgare loaded at this line.https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding
?.svgwith?.wasm?initor withsec-fetch-dest: scriptheader, the restriction was able to bypass.This bypass is only possible if the file is smaller than
build.assetsInlineLimit(default: 4kB) and when using Vite 6.0+.relative paths
The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g.
../../).PoC
npm create vite@latestcd vite-project/npm installnpm run devsend request to read
etc/passwdcurl'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'curl'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'CVE-2025-32395
Summary
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
Impact
Only apps with the following conditions are affected.
Details
HTTP 1.1 spec (RFC 9112) does not allow
#inrequest-target. Although an attacker can send such a request. For those requests with an invalidrequest-line(it includesrequest-target), the specrecommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1,ref2,ref3).On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of
http.IncomingMessage.urlcontains#. Vite assumedreq.urlwon't contain#when checkingserver.fs.deny, allowing those kinds of requests to bypass the check.On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of
http.IncomingMessage.urldid not contain#.PoC
send request to read
/etc/passwdCVE-2025-46565
Summary
The contents of files inthe project
rootthat are denied by a file matching pattern can be returned to the browser.Impact
Only apps explicitly exposing the Vite dev server to the network (using --host orserver.host config option) are affected.
Only files that are underproject
rootand are denied by a file matching pattern can be bypassed..env,.env.*,*.{crt,pem},**/.env**/.git/**,.git/**,.git/**/*Details
server.fs.denycan contain patterns matching against files (by default it includes.env,.env.*,*.{crt,pem}as such patterns).These patterns were able to bypass for files under
rootby using a combination of slash and dot (/.).PoC
Release Notes
vitejs/vite (vite)
v6.2.7Compare Source
Please refer toCHANGELOG.md for details.
v6.2.6Compare Source
Please refer toCHANGELOG.md for details.
v6.2.5Compare Source
Please refer toCHANGELOG.md for details.
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated byMend Renovate. View therepository job log.