GitHub
04/13/2025, 1:39 AMGitHub
04/13/2025, 1:51 AMGitHub
04/13/2025, 1:56 AMGitHub
04/14/2025, 4:12 AMGitHub
04/14/2025, 3:02 PMGitHub
04/14/2025, 5:34 PM.svg
Requests ending with .svg
are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg
with ?.wasm?init
or with sec-fetch-dest: script
header, the restriction was able to bypass.
This bypass is only possible if the file is smaller than `build.assetsInlineLimit` (default: 4kB) and when using Vite 6.0+.
##### relative paths
The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../
).
##### PoC
npm create vite@latest
cd vite-project/
npm install
npm run dev
send request to read etc/passwd
curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'
curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'
#### Severity
• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
#### References
• https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x
• https://nvd.nist.gov/vuln/detail/CVE-2025-31486
• https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647
• https://github.com/vitejs/vite
• https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Vite has an server.fs.deny
bypass with an invalid request-target
CVE-2025-32395 / GHSA-356w-63v5-8wf4
More information
#### Details
##### Summary
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.
##### Impact
Only apps with the following conditions are affected.
• explicitly exposing the Vite dev server to the network (using --host or server.host config option)
• running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)
##### Details
HTTP 1.1 spec (RFC 9112) does not allow `#` in `request-target`. Although an attacker can send such a request. For those requests with an invalid request-line
(it includes request-target
), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).
On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of `http.IncomingMessage.url` contains #
. Vite assumed req.url
won't contain #
when checking server.fs.deny
, allowing those kinds of requests to bypass the check.
On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url
did not contain #
.
##### PoC
npm create vite@latest
cd vite-project/
npm install
npm run dev
send request to read /etc/passwd
curl --request-target /@​fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd <http://127.0.0.1:5173>
#### Severity
• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
#### References
• https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4
• https://nvd.nist.gov/vuln/detail/CVE-2025-32395
• https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70
• https://github.com/vitejs/vite
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Vite's server.fs.deny bypassed with /. for files under project root
CVE-2025-46565 / GHSA-859w-5945-r5v3
More information
#### Details
##### Summary
The contents of files in the project `root` that are denied by a file matching pattern can be returned to the browser.
##### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host …
runatlantis/atlantisGitHub
04/16/2025, 11:15 PM@dependabot rebase
.
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
• @dependabot rebase
will rebase this PR
• @dependabot recreate
will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge
will merge this PR after your CI passes on it
• @dependabot squash and merge
will squash and merge this PR after your CI passes on it
• @dependabot cancel merge
will cancel a previously requested merge and block automerging
• @dependabot reopen
will reopen this PR if it is closed
• @dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
runatlantis/atlantisGitHub
04/18/2025, 2:06 AMGitHub
04/21/2025, 2:11 AMvalidate:"required"
Ref string validate:"required"
Type string validate:"required"
PR int
Projects []string
Paths []struct {
Directory string
Workspace string
}
}
However, this is not sufficient information as many operations rely on knowing the exact commit we are working on and not just the Ref, which is a moving target.
Furthermore, it's more reliable to explicitly state the SHA you want to perform actions on, otherwise you could get unexpected results as the pipeline you are currently working with locally might be pointing to a different version of the Ref than the one that Atlantis fetches.
## tests
I would like guidance on how to appropriately testing this change as I'm fairly unfamiliar with the Atlantis codebase.
## references
closes #5143
runatlantis/atlantisGitHub
04/22/2025, 5:57 PM• Add more thorough locking around Clone() calls, covering all of these phases:
Am I on the right commit
Merge with upstream
Clone if necessary
• Reduce the number of remote git operations when planning or applying in parallel
Clean up the Clone() method, split into Clone() and MergeAgain()
For parallel mode to work, you must either set the environment variable## why • The Clone call had several race conditions where it could miss clones or delete the working directory under running processes causing failures. ## tests I ranto something, or check in your .hcl files. Otherwise terraform cannot run in parallel.TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE
make test-all fmt lint
## references
• This is just #3670 rebased
• Closes #3670
runatlantis/atlantisGitHub
04/22/2025, 6:00 PMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
#### References
• https://nvd.nist.gov/vuln/detail/CVE-2025-22872
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
• https://pkg.go.dev/vuln/GO-2025-3595
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
#### Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
#### Severity
Unknown
#### References
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
:vertical_t…
runatlantis/atlantisGitHub
04/23/2025, 5:38 AMGitHub
04/23/2025, 6:04 AMGitHub
04/23/2025, 6:15 AMimport rego.v1
to the policy.
• The rego-version
flag will remain available indefinitely, and users who do not wish to update their Rego policies can continue to use v0 syntax by setting this flag to v0
.
For more information about upgrading to Rego v1 syntax, see the upstream docs at https://www.openpolicyagent.org/docs/latest/v0-upgrade/.
#### Changelog
##### New Features
• `21e1163`: feat: add pre-commit hook support (#1077) (@thevilledev)
##### OPA Changes
• `eac6f5e`: build(deps): bump github.com/open-policy-agent/opa from 1.2.0 to 1.3.0 (#1092) (@dependabot[bot])
##### Other Changes
• `813f329`: build(deps): bump cuelang.org/go from 0.12.0 to 0.12.1 (#1094) (@dependabot[bot])
• `45bf533`: build(deps): bump github.com/BurntSushi/toml from 1.4.0 to 1.5.0 (#1089) (@dependabot[bot])
• `19f1eaf`: build(deps): bump github.com/magiconair/properties from 1.8.9 to 1.8.10 (#1097) (@dependabot[bot])
• `a20159b`: build(deps): bump github.com/moby/buildkit from 0.20.0 to 0.20.1 (#1083) (@dependabot[bot])
• `32aac49`: build(deps): bump github.com/moby/buildkit from 0.20.1 to 0.20.2 (#1091) (@dependabot[bot])
• `1b1ce3a`: build(deps): bump golang from 1.24.0-alpine to 1.24.1-alpine (#1086) (@dependabot[bot])
• `cb88a17`: build(deps): bump golang from 1.24.1-alpine to 1.24.2-alpine (#1096) (@dependabot[bot])
• `8c8b13f`: ci: Remove PR workflow access to all permissions from GITHUB_TOKEN (#1088) (@jalseth)
• `688c88f`: deps: Bump hcl2json to v0.6.7 (#1074) (@jalseth)
• `e9612c3`: refactor(ci): replace Makefile-based Docker builds with GitHub Action (#1082) (@Amamgbu)
---
### Configuration
📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the repository job log.
runatlantis/atlantisGitHub
04/23/2025, 6:15 AMimport rego.v1
to the policy.
• The rego-version
flag will remain available indefinitely, and users who do not wish to update their Rego policies can continue to use v0 syntax by setting this flag to v0
.
For more information about upgrading to Rego v1 syntax, see the upstream docs at https://www.openpolicyagent.org/docs/latest/v0-upgrade/.
#### Changelog
##### New Features
• `21e1163`: feat: add pre-commit hook support (#1077) (@thevilledev)
##### OPA Changes
• `eac6f5e`: build(deps): bump github.com/open-policy-agent/opa from 1.2.0 to 1.3.0 (#1092) (@dependabot[bot])
##### Other Changes
• `813f329`: build(deps): bump cuelang.org/go from 0.12.0 to 0.12.1 (#1094) (@dependabot[bot])
• `45bf533`: build(deps): bump github.com/BurntSushi/toml from 1.4.0 to 1.5.0 (#1089) (@dependabot[bot])
• `19f1eaf`: build(deps): bump github.com/magiconair/properties from 1.8.9 to 1.8.10 (#1097) (@dependabot[bot])
• `a20159b`: build(deps): bump github.com/moby/buildkit from 0.20.0 to 0.20.1 (#1083) (@dependabot[bot])
• `32aac49`: build(deps): bump github.com/moby/buildkit from 0.20.1 to 0.20.2 (#1091) (@dependabot[bot])
• `1b1ce3a`: build(deps): bump golang from 1.24.0-alpine to 1.24.1-alpine (#1086) (@dependabot[bot])
• `cb88a17`: build(deps): bump golang from 1.24.1-alpine to 1.24.2-alpine (#1096) (@dependabot[bot])
• `8c8b13f`: ci: Remove PR workflow access to all permissions from GITHUB_TOKEN (#1088) (@jalseth)
• `688c88f`: deps: Bump hcl2json to v0.6.7 (#1074) (@jalseth)
• `e9612c3`: refactor(ci): replace Makefile-based Docker builds with GitHub Action (#1082) (@Amamgbu)
---
### Configuration
📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the repository job log.
runatlantis/atlantisGitHub
04/23/2025, 6:18 AMGitHub
04/24/2025, 2:09 AMBaseBranch
and Commit
## why
As of now, the /api/plan endpoint constructs a PullRequest that uses the provided Ref parameter as the base branch and head commit. This causes issues when running additional steps along with plan (e.g.: policy check, infracost, etc).
Here's an example error:
repo was already cloned but is not at correct commit, wanted \"pr-plan-test\" got \"7a19f2011...\"
This will then trigger a new clone which will override needed artifacts from the previous steps which will then cause /api/plan to fail.
By properly setting HeadCommit from the new optional APIRequest parameter this issue is avoided.
## references
## tests
• I have tested my changes by adding unit tests
runatlantis/atlantisGitHub
04/24/2025, 6:52 AMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
#### References
• https://nvd.nist.gov/vuln/detail/CVE-2025-22872
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
• https://pkg.go.dev/vuln/GO-2025-3595
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
#### Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
#### Severity
Unknown
#### References
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the repository job log.
runatlantis/atlantisGitHub
04/24/2025, 6:53 AMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
#### References
• https://nvd.nist.gov/vuln/detail/CVE-2025-22872
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
• https://pkg.go.dev/vuln/GO-2025-3595
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22872 / GHSA-vvgc-356p-c3xw / GO-2025-3595
More information
#### Details
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts).
#### Severity
Unknown
#### References
• https://go.dev/cl/662715
• https://go.dev/issue/73070
• https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the repository job log.
runatlantis/atlantisGitHub
04/25/2025, 10:17 AMGitHub
04/26/2025, 8:20 PMGitHub
04/30/2025, 7:54 AMproject-regex
and directory-regex
matching support to extend the existing webhook event configuration.
## why
Repositories can contain many Atlantis managed Terraform projects, and can control their applies based on CODEOWNERS
checks in MRs/PRs by directories etc.
As an example folder structure:
environments/
├─ development/
│ ├─ project-a/
├─ production/
├─ staging/
Not every apply within the repository may need a slack/webhook notification, or you may want to filter specific projects/folders to different channels or webhook endpoints.
Currently Atlantis doesn't support a way of configuring webhooks to fire based on directory, or project name
## tests
Added new test cases covering multiple combinations of the existing and new regex fields.
## references
Closes #5450
runatlantis/atlantisGitHub
04/30/2025, 7:36 PMvite
from 6.2.6 to 6.3.4
Release notes
Sourced from vite's releases.
## v6.3.4
Please refer to CHANGELOG.md for details.
## v6.3.3
Please refer to CHANGELOG.md for details.
## v6.3.2
Please refer to CHANGELOG.md for details.
## create-vite@6.3.1
Please refer to CHANGELOG.md for details.
## v6.3.1
Please refer to CHANGELOG.md for details.
## create-vite@6.3.0
Please refer to CHANGELOG.md for details.
## v6.3.0
Please refer to CHANGELOG.md for details.
## v6.3.0-beta.2
Please refer to CHANGELOG.md for details.
## v6.3.0-beta.1
Please refer to CHANGELOG.md for details.
## v6.3.0-beta.0
Please refer to CHANGELOG.md for details.
## v6.2.7
Please refer to CHANGELOG.md for details.Changelog Sourced from vite's changelog.
## 6.3.4 (2025-04-30)
• fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965
• fix(optimizer): return plain object when usingto import externals in optimized dependenci (efc5eab), closes #19940require
• refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935
## 6.3.3 (2025-04-24)
• fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853
• fix(assets): ensure ?no-inline is not included in the asset url in the production environment (#1949 (16a73c0), closes #19496
• fix(css): resolve relative imports in sass properly on Windows (#19920) (ffab442), closes #19920
• fix(deps): update all non-major dependencies (#19899) (a4b500e), closes #19899
• fix(ssr): fix execution order of re-export (#19841) (ed29dee), closes #19841
• fix(ssr): fix live binding of default export declaration and hoist exports getter (#19842) (80a91ff), closes #19842
• perf: skip sourcemap generation for renderChunk hook of import-analysis-build plugin (#19921) (55cfd04), closes #19921
• test(ssr): testre-export deps and test stacktrace with first line (#19629) (9399cda), closes #19629ssrTransform
## 6.3.2 (2025-04-18)
• fix: match default asserts case insensitive (#19852) (cbdab1d), closes #19852
• fix: open first url if host does not match any urls (#19886) (6abbdce), closes #19886
• fix(css): respectoption in css minification process (#19879) (b5055e0), closes #19879css.lightningcss
• fix(deps): update all non-major dependencies (#19698) (bab4cb9), closes #19698
• feat(css): improve lightningcss messages (#19880) (c713f79), closes #19880
## 6.3.1 (2025-04-17)
• fix: avoid usingin preload function (#19805) (35c7f35), closes #19805Promise.allSettled
• fix: backward compat for internal plugincalls (#19878) (a152b7c), closes #19878transform
## 6.3.0 (2025-04-16)
• fix(hmr): avoid infinite loop happening withrunatlantis/atlantisin circular deps (#19870) (d4ee5e8), closes <https://r…hot.invalidate
GitHub
04/30/2025, 7:39 PM.env
, .env.*
, *.{crt,pem}
, **/.env
• Examples of other patterns: **/.git/**
, .git/**
, .git/**/*
### Details
`server.fs.deny` can contain patterns matching against files (by default it includes .env
, .env.*
, *.{crt,pem}
as such patterns).
These patterns were able to bypass for files under root
by using a combination of slash and dot (/.
).
### PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. <http://localhost:5173>
[image](https://camo.githubusercontent.com/0681fe273f64c4f05b177de25c9e98c65f18d2bd7f16cc39e7b10cb1bbdd34b2/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f38323266343431362d616134322d343631662d386339352d613838643135356536373462)
[image](https://camo.githubusercontent.com/e3e7a92dd6c590d0a2134c215b21095193a83d5673cd6067a5e30460ec230651/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f34323930323134342d383633612d346166622d616335622d666331366566666133376363)
---
### Release Notes
vitejs/vite (vite)
### `v6.2.7`
Compare Source
Please refer to CHANGELOG.md for details.
---
### Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
---
• If you want to rebase/retry this PR, check this box
---
This PR was generated by Mend Renovate. View the repository job log.
runatlantis/atlantisGitHub
04/30/2025, 7:40 PM.env
, .env.*
, *.{crt,pem}
, **/.env
• Examples of other patterns: **/.git/**
, .git/**
, .git/**/*
### Details
`server.fs.deny` can contain patterns matching against files (by default it includes .env
, .env.*
, *.{crt,pem}
as such patterns).
These patterns were able to bypass for files under root
by using a combination of slash and dot (/.
).
### PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. <http://localhost:5173>
[image](https://camo.githubusercontent.com/0681fe273f64c4f05b177de25c9e98c65f18d2bd7f16cc39e7b10cb1bbdd34b2/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f38323266343431362d616134322d343631662d386339352d613838643135356536373462)
[image](https://camo.githubusercontent.com/e3e7a92dd6c590d0a2134c215b21095193a83d5673cd6067a5e30460ec230651/68747470733a2f2f72656469726563742e6769746875622e636f6d2f757365722d6174746163686d656e74732f6173736574732f34323930323134342d383633612d346166622d616335622d666331366566666133376363)
---
### Vite bypasses server.fs.deny when using ?raw??
CVE-2025-30208 / GHSA-x574-m823-4x7w
More information
#### Details
##### Summary
The contents of arbitrary files can be returned to the browser.
##### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host
or `server.host` config option) are affected.
##### Details
@fs
denies access to files outside of Vite serving allow list. Adding ?raw??
or ?import&raw??
to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ?
are removed in several places, but are not accounted for in query string regexes.
##### PoC
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
$ echo "top secret content" > /tmp/secret.txt
##### expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"
<body>
<h1>403 Restricted</h1>
<p>The request url "/tmp/secret.txt" is outside of Vite serving allow list.
##### security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
#### Severity
• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
#### References
• https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w
• https://nvd.nist.gov/vuln/detail/CVE-2025-30208
• https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4
• https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c
• https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41
• https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca
• https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1
• https://github.com/vitejs/vite
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
---
### Vite has a server.fs.deny
bypassed for inline
and raw
with ?import
query
CVE-2025-31125 / GHSA-4r4m-qw57-chr8
More information
#### Details
##### Summary
The contents of arbitrary files can be returned to the browser.
##### Impact
Only apps explicitly exposing the Vite dev server to the network (using --host
or `server.host` config option) are affected.
##### Details
• base64 encoded content of non-allowed files is exposed using ?inline&import
(originally reported as ?import&?inline=1.wasm?init
)
• content of non-allowed files is exposed using ?raw?import
/@​fs/
isn't needed to reproduce the issue for files inside the proj…
runatlantis/atlantisGitHub
05/01/2025, 2:15 AMGitHub
05/01/2025, 10:35 PMmake test
## references
• Re-implementation of the work done by @igaskin in #3287
• Closes #3256
runatlantis/atlantisGitHub
05/03/2025, 2:08 AMGitHub
05/04/2025, 8:25 PMrun:
does not really work because of the following issues:
• #4308
With custom policy checks enabled, output is parsed but it's not evaluated correctly as described here.
• #4952
runatlantis/atlantisGitHub
05/05/2025, 11:13 AM