Update dependency vite to v6.1.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	6.0.9 → 6.1.6

---

Vite bypasses server.fs.deny when using ?raw??

CVE-2025-30208 / GHSA-x574-m823-4x7w

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

##### expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

##### security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
• https://nvd.nist.gov/vuln/detail/CVE-2025-30208
• https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
• https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
• https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
• https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
• https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
• https://github.com/advisories/GHSA-x574-m823-4x7w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Vite has a server.fs.deny bypassed for inline and raw with ?import query

CVE-2025-31125 / GHSA-4r4m-qw57-chr8

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

• base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
• content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8
• https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949
• https://nvd.nist.gov/vuln/detail/CVE-2025-31125
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125
• https://github.com/advisories/GHSA-4r4m-qw57-chr8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Vite allows server.fs.deny to be bypassed with .svg or relative paths

CVE-2025-31486 / GHSA-xcj6-pq6g-qj4x

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x
• https://nvd.nist.gov/vuln/detail/CVE-2025-31486
• https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647
• https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
• https://github.com/advisories/GHSA-xcj6-pq6g-qj4x

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Vite's server.fs.deny bypassed with /. for files under project root

CVE-2025-46565 / GHSA-859w-5945-r5v3

More information

Details

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

Severity

• CVSS Score: 6.0 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
• https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb
• https://nvd.nist.gov/vuln/detail/CVE-2025-46565
• https://github.com/advisories/GHSA-859w-5945-r5v3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vitejs/vite (vite)

v6.1.6

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.5

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.4

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.3

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.2

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.1

Compare Source

Features

• add support for injecting debug IDs (#​18763) (0ff556a)

Bug Fixes

• css: run rewrite plugin if postcss plugin exists (#​19371) (bcdb51a)
• deps: bump tsconfck (#​19375) (746a583)
• deps: update all non-major dependencies (#​19392) (60456a5)
• deps: update all non-major dependencies (#​19440) (ccac73d)
• ensure .[cm]?[tj]sx? static assets are JS mime (#​19453) (e7ba55e)
• html: ignore malformed src attrs (#​19397) (aff7812)
• ignore *.ipv4 address in cert (#​19416) (973283b)
• worker: fix web worker type detection (#​19462) (edc65ea)

Miscellaneous Chores

• update 6.1.0 changelog (#​19363) (fa7c211)

Code Refactoring

• remove custom .jxl mime (#​19457) (0c85464)

v6.1.0

Compare Source

Features

• add support for injecting debug IDs (#​18763) (0ff556a)

Bug Fixes

• css: run rewrite plugin if postcss plugin exists (#​19371) (bcdb51a)
• deps: bump tsconfck (#​19375) (746a583)
• deps: update all non-major dependencies (#​19392) (60456a5)
• deps: update all non-major dependencies (#​19440) (ccac73d)
• ensure .[cm]?[tj]sx? static assets are JS mime (#​19453) (e7ba55e)
• html: ignore malformed src attrs (#​19397) (aff7812)
• ignore *.ipv4 address in cert (#​19416) (973283b)
• worker: fix web worker type detection (#​19462) (edc65ea)

Miscellaneous Chores

• update 6.1.0 changelog (#​19363) (fa7c211)

Code Refactoring

• remove custom .jxl mime (#​19457) (0c85464)

v6.0.15

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.14

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.13

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.12

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.11

Compare Source

Features

• show hosts in cert in CLI (#​19317) (a5e306f)
• support for env var for defining allowed hosts (#​19325) (4d88f6c)
• use native runtime to import the config (#​19178) (7c2a794)
• print port in the logged error message after failed WS connection with EADDRINUSE (#​19212) (14027b0)
• add support for .jxl (#​18855) (57b397c)
• add the builtins environment resolve (#​18584) (2c2d521)
• call Logger for plugin logs in build (#​13757) (bf3e410)
• css: add friendly errors for IE hacks that are not supported by lightningcss (#​19072) (caad985)
• export defaultAllowedOrigins for user-land config and 3rd party plugins (#​19259) (dc8946b)
• expose createServerModuleRunnerTransport (#​18730) (8c24ee4)
• optimizer: support bun text lockfile (#​18403) (05b005f)
• reporter: add wasm to the compressible assets regex (#​19085) (ce84142)
• support async for proxy.bypass (#​18940) (a6b9587)
• support log related functions in dev (#​18922) (3766004)
• use module runner to import the config (#​18637) (b7e0e42)
• worker: support dynamic worker option fields (#​19010) (d0c3523)

Bug Fixes

• avoid builtStart during vite optimize (#​19356) (fdb36e0)
• build: fix stale build manifest on watch rebuild (#​19361) (fcd5785)
• allow expanding env vars in reverse order (#​19352) (3f5f2bd)
• avoid packageJson without name in resolveLibCssFilename (#​19324) (f183bdf)
• html: fix css disorder when building multiple entry html (#​19143) (e7b4ba3)
• css: less [@plugin](https://redirect.github.com/plugin) imports of JS files treated as CSS and rebased (fix #​19268) (#​19269) (602b373)
• deps: update all non-major dependencies (#​19296) (2bea7ce)
• don't call buildStart hooks for vite optimize (#​19347) (19ffad0)
• don't call next middleware if user sent response in proxy.bypass (#​19318) (7e6364d)
• resolve: preserve hash/search of file url (#​19300) (d1e1b24)
• resolve: warn if node-like builtin was imported when resolve.builtin is empty (#​19312) (b7aba0b)
• respect top-level server.preTransformRequests (#​19272) (12aaa58)
• ssr: fix transform error due to export all id scope (#​19331) (e28bce2)
• ssr: pretty print plugin error in ssrLoadModule (#​19290) (353c467)
• use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#​19313) (9fc31b6)
• change ResolvedConfig type to interface to allow extending it (#​19210) (bc851e3)
• correctly resolve hmr dep ids and fallback to url (#​18840) (b84498b)
• deps: update all non-major dependencies (#​19190) (f2c07db)
• hmr: register inlined assets as a dependency of CSS file (#​18979) (eb22a74)
• make --force work for all environments (#​18901) (51a42c6)
• resolve: support resolving TS files by JS extension specifiers in JS files (#​18889) (612332b)
• ssr: combine empty source mappings (#​19226) (ba03da2)
• use loc.file from rollup errors if available (#​19222) (ce3fe23)
• utils: clone RegExp values with new RegExp instead of structuredClone (fix #​19245, fix #​18875) (#​19247) (56ad2be)

Performance Improvements

• css: only run postcss when needed (#​19061) (30194fa)

Documentation

• rephrase browser range and features relation (#​19286) (97569ef)
• update build.manifest jsdocs (#​19332) (4583781)

Code Refactoring

• deprecate vite optimize command (#​19348) (6e0e3c0)

Miscellaneous Chores

• update deprecate links domain (#​19353) (2b2299c)
• deps: update dependency strip-literal to v3 (#​19231) (1172d65)
• remove outdated code comment about scanImports not being used in ssr (#​19285) (fbbc6da)
• unneeded name in lockfileFormats (#​19275) (96092cb)

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

v6.0.10

Compare Source

Bug Fixes

• try parse server.origin URL (#​19241) (2495022)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.