Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency vite to v5.4.12 [security] #725

Merged
merged 1 commit into from
Jan 22, 2025
Merged

chore(deps): update dependency vite to v5.4.12 [security] #725

merged 1 commit into from
Jan 22, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 22, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change OpenSSF
vite (source) devDependencies patch 5.4.11 -> 5.4.12 OpenSSF Scorecard

GitHub Vulnerability Alerts

CVE-2025-24010

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

  • Using the backend integration feature
  • Using a reverse proxy in front of Vite
  • Accessing the development server via a domain other than localhost or *.localhost
  • Using a plugin / framework that connects to the WebSocket server on their own from the browser

Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

Accessing the development server via a domain other than localhost or *.localhost

You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.

Using a plugin / framework that connects to the WebSocket server on their own from the browser

If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.

In that case, you can either:

  • fix the plugin / framework code to the make it compatible with the new version of Vite
  • set legacy.skipWebSocketTokenCheck: true to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite
    • When enabling this option, make sure that you are aware of the security implications described in the impact section of [2] above.

Mitigation without upgrading Vite

[1]: Permissive default CORS settings

Set server.cors to false or limit server.cors.origin to trusted origins.

[2]: Lack of validation on the Origin header for WebSocket connections

There aren't any mitigations for this.

[3]: Lack of validation on the Host header for HTTP requests

Use Chrome 94+ or use HTTPS for the development server.

Details

There are three causes that allowed malicious websites to send any requests to the development server:

[1]: Permissive default CORS settings

Vite sets the Access-Control-Allow-Origin header depending on server.cors option. The default value was true which sets Access-Control-Allow-Origin: *. This allows websites on any origin to fetch contents served on the development server.

Attack scenario:

  1. The attacker serves a malicious web page (http://malicious.example.com).
  2. The user accesses the malicious web page.
  3. The attacker sends a fetch('http://127.0.0.1:5173/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
  4. The attacker gets the content of http://127.0.0.1:5173/main.js.

[2]: Lack of validation on the Origin header for WebSocket connections

Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server did not perform validation on the Origin header and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection (list of the file paths that changed, the file content where the errored happened, etc.), but plugins can send arbitrary messages and may include more sensitive information.

Attack scenario:

  1. The attacker serves a malicious web page (http://malicious.example.com).
  2. The user accesses the malicious web page.
  3. The attacker runs new WebSocket('http://127.0.0.1:5173', 'vite-hmr') by JS in that malicious web page.
  4. The user edits some files.
  5. Vite sends some HMR messages over WebSocket.
  6. The attacker gets the content of the HMR messages.

[3]: Lack of validation on the Host header for HTTP requests

Unless server.https is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.

  1. The attacker serves a malicious web page that is served on HTTP (http://malicious.example.com:5173) (HTTPS won't work).
  2. The user accesses the malicious web page.
  3. The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
  4. The attacker sends a fetch('/main.js') request by JS in that malicious web page.
  5. The attacker gets the content of http://127.0.0.1:5173/main.js bypassing the same origin policy.

Impact

[1]: Permissive default CORS settings

Users with the default server.cors option may:

  • get the source code stolen by malicious websites
  • give the attacker access to functionalities that are not supposed to be exposed externally
    • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

[2]: Lack of validation on the Origin header for WebSocket connections

All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.

[3]: Lack of validation on the Host header for HTTP requests

Users using HTTP for the development server and using a browser that is not Chrome 94+ may:

  • get the source code stolen by malicious websites
  • give the attacker access to functionalities that are not supposed to be exposed externally
    • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

Chrome 94+ users are not affected for [3], because sending a request to a private network page from public non-HTTPS page is forbidden since Chrome 94.

Related Information

Safari has a bug that blocks requests to loopback addresses from HTTPS origins. This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.

PoC

[2]: Lack of validation on the Origin header for WebSocket connections

  1. I used the react template which utilizes HMR functionality.
npm create vite@latest my-vue-app-react -- --template react
  1. Then on a malicious server, serve the following POC html:
<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>
  1. Kick off Vite
npm run dev
  1. Load the development server (open http://localhost:5173/) as well as the malicious page in the browser.
  2. Edit src/App.jsx file and intentionally place a syntax error
  3. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed

Here's a video demonstrating the POC:

vite-cswsh.mov

Release Notes

vitejs/vite (vite)

v5.4.12

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the Type: Security The issue is a security related topic label Jan 22, 2025
@renovate renovate bot requested a review from a team as a code owner January 22, 2025 06:37
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 22, 2025
edited
Loading

Warning

Rate limit exceeded

@renovate[bot] has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 13 minutes and 36 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between c677791 and 2e06382.

⛔ Files ignored due to path filters (1)
  • refarch-webcomponent/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • refarch-webcomponent/package.json (1 hunks)

Walkthrough

The pull request involves a minor update to the vite development dependency in the refarch-webcomponent project's package.json file. The version of vite has been changed from 5.4.11 to 5.4.12, indicating a patch-level update that may address bugs or include minor improvements.

Changes

File Change Summary
refarch-webcomponent/package.json Updated Vite dev dependency from 5.4.11 to 5.4.12

Poem

🐰 A Vite update, oh so slight,
Bumping numbers to the right,
From 11 to 12, a tiny leap,
In dependencies, we quietly creep,
Rabbit's build tools dancing bright! 🛠️

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions github-actions bot added the Template: Webcomponent Issues regarding the webcomponent template. label Jan 22, 2025
coderabbitai[bot]
coderabbitai bot reviewed Jan 22, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d14b4c2 and cb9ab50.

⛔ Files ignored due to path filters (1)
  • refarch-webcomponent/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • refarch-webcomponent/package.json (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (1)
  • GitHub Check: build (refarch-backend)
🔇 Additional comments (2)
refarch-webcomponent/package.json (2)

37-37: Verify compatibility with related dependencies.

The Vite update appears compatible with your current setup, including @vitejs/plugin-vue (5.2.1) and vite-plugin-vue-devtools (7.7.0).

Run this script to check for any reported compatibility issues:

✅ Verification successful

Dependencies are compatible ✅

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify compatibility between Vite 5.4.12 and related packages

echo "Checking npm for known compatibility issues..."
npm info vite@5.4.12 peerDependencies
npm info @vitejs/plugin-vue@5.2.1 peerDependencies
npm info vite-plugin-vue-devtools@7.7.0 peerDependencies

Length of output: 525

37-37: LGTM! Important security update.

This update addresses CVE-2025-24010, which fixes a vulnerability in the Vite development server's CORS settings and WebSocket connections.

To ensure secure configuration after the update, run this script to check if any custom CORS or server settings exist that might need review:

✅ Verification successful

Security update is safe to apply, no configuration changes needed

The Vite configuration in your project uses default security settings and local-only proxy configurations. The security improvements from version 5.4.12 will be automatically applied without any conflicts with your current setup.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for custom Vite server configurations that might need review
# after the security update

echo "Checking for Vite config files..."
fd -e ts -e js -e mjs "vite.config" 

echo -e "\nChecking for custom server configurations..."
rg -l "server: {|server:|cors:|hmr:"

Length of output: 444

Script:

#!/bin/bash
echo "=== Content of refarch-webcomponent/vite.config.ts ==="
cat refarch-webcomponent/vite.config.ts

echo -e "\n=== Searching for server configurations with fixed regex ==="
rg "server[[:space:]]*:|cors[[:space:]]*:|hmr[[:space:]]*:" refarch-webcomponent/vite.config.ts

Length of output: 1586

@renovate renovate bot force-pushed the renovate/refarch-webcomponent-npm-vite-vulnerability branch 6 times, most recently from 6215aa3 to 97c5947 Compare January 22, 2025 07:44
@renovate renovate bot force-pushed the renovate/refarch-webcomponent-npm-vite-vulnerability branch from 97c5947 to 2e06382 Compare January 22, 2025 07:53
@devtobi
Copy link
Member

devtobi commented Jan 22, 2025

Seems like we are not affected here because we don't serve the webcomponent template behind the API gateway. However we might need to add the allowedHost later on when we fire HTTP Requests from the webcomponents, but we will see then.

devtobi
devtobi approved these changes Jan 22, 2025
View reviewed changes
Copy link
Member

@devtobi devtobi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@devtobi devtobi merged commit 2d6f181 into main Jan 22, 2025
11 checks passed
@devtobi devtobi deleted the renovate/refarch-webcomponent-npm-vite-vulnerability branch January 22, 2025 10:39
This was referenced Jan 22, 2025
Merged
Merged
Merged
Closed
Closed
Merged
Merged
@coderabbitai coderabbitai bot mentioned this pull request Feb 10, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@devtobi devtobi devtobi approved these changes

Assignees
No one assigned
Labels
Template: Webcomponent Issues regarding the webcomponent template. Type: Security The issue is a security related topic
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@devtobi