[Security] Bump vite from 5.2.11 to 5.4.11

Bumps vite from 5.2.11 to 5.4.11. This update includes security fixes.

Vulnerabilities fixed

Vite's server.fs.deny is bypassed when using ?import&raw

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
$ echo "top secret content" > /tmp/secret.txt
expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"
<body>
  <h1>403 Restricted</h1>

</tr></table>

... (truncated)

Patched versions: 5.1.8; 5.2.14; 3.2.11; 4.5.4; 5.3.6; 5.4.6 Affected versions: >= 5.0.0, = 5.4.0, <= 5.4.5

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

... (truncated)

Patched versions: 5.1.8; 3.2.11; 5.2.14; 5.3.6; 5.4.6; 4.5.4 Affected versions: >= 5.0.0, = 4.0.0, < 4.5.4

Release notes

Sourced from vite's releases.

create-vite@5.4.0

Please refer to CHANGELOG.md for details.

create-vite@5.3.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.0.3 (2024-12-05)

• fix: handle postcss load unhandled rejections (#18886) (d5fb653), closes #18886
• fix: make handleInvoke interface compatible with invoke (#18876) (a1dd396), closes #18876
• fix: make result interfaces for ModuleRunnerTransport#invoke more explicit (#18851) (a75fc31), closes #18851
• fix: merge environments.ssr.resolve with root ssr config (#18857) (3104331), closes #18857
• fix: no permission to create vite config file (#18844) (ff47778), closes #18844
• fix: remove CSS import in CJS correctly in some cases (#18885) (690a36f), closes #18885
• fix(config): bundle files referenced with imports field (#18887) (2b5926a), closes #18887
• fix(config): make stacktrace path correct when sourcemap is enabled (#18833) (20fdf21), closes #18833
• fix(css): rewrite url when image-set and url exist at the same time (#18868) (d59efd8), closes #18868
• fix(deps): update all non-major dependencies (#18853) (5c02236), closes #18853
• fix(html): allow unexpected question mark in tag name (#18852) (1b54e50), closes #18852
• fix(module-runner): decode uri for file url passed to import (#18837) (88e49aa), closes #18837
• refactor: fix logic errors found by no-unnecessary-condition rule (#18891) (ea802f8), closes #18891
• chore: fix duplicate attributes issue number in comment (#18860) (ffee618), closes #18860

6.0.2 (2024-12-02)

• chore: run typecheck in unit tests (#18858) (49f20bb), closes #18858
• chore: update broken links in changelog (#18802) (cb754f8), closes #18802
• chore: update broken links in changelog (#18804) (47ec49f), closes #18804
• fix: don't store temporary vite config file in node_modules if deno (#18823) (a20267b), closes #18823
• fix(css): referencing aliased svg asset with lightningcss enabled errored (#18819) (ae68958), closes #18819
• fix(manifest): use style.css as a key for the style file for cssCodesplit: false (#18820) (ec51115), closes #18820
• fix(optimizer): resolve all promises when cancelled (#18826) (d6e6194), closes #18826
• fix(resolve): don't set builtinModules to external by default (#18821) (2250ffa), closes #18821
• fix(ssr): set ssr.target: 'webworker' defaults as fallback (#18827) (b39e696), closes #18827
• feat(css): format lightningcss error (#18818) (dac7992), closes #18818
• refactor: make properties of ResolvedServerOptions and ResolvedPreviewOptions required (#18796) (51a5569), closes #18796

6.0.1 (2024-11-27)

• fix: default empty server proxy prevents starting http2 server (#18788) (bbaf514), closes #18788
• fix(manifest): do not override existing js manifest entry (#18776) (3b0837e), closes #18776
• fix(server): close _ssrCompatModuleRunner on server close (#18784) (9b4c410), closes #18784
• fix(server): skip hot channel client normalization for wsServer (#18782) (cc7670a), closes #18782
• fix(worker): fix applyToEnvironment hooks on worker build (#18793) (0c6cdb0), closes #18793
• chore: flat v6 config file (#18777) (c7b3308), closes #18777
• chore: split changelog (#18787) (8542632), closes #18787
• chore: update changelog for v6 (#18773) (b254fac), closes #18773
• revert: update moduleResolution value casing (#18409) (#18774) (b0fc6e3), closes #18409 #18774

6.0.0 (2024-11-26)

... (truncated)

Commits

• c54c860 release: v5.4.11
• 5f52bc8 release: v5.4.10
• 7d1a3bc fix: backport #18367,augment hash for CSS files to prevent chromium erroring ...
• 898d61f release: v5.4.9
• 508d9ab fix: bump launch-editor-middleware to v2.9.1 (#18348)
• dc5434c fix(deps): bump tsconfck (#18322)
• 851b258 fix(hmr): don't try to rewrite imports for direct CSS soft invalidation (#18252)
• 96084d6 fix(data-uri): only match ids starting with data: (#18241)
• eae00b5 fix(css): fix lightningcss dep url resolution with custom root (#18125)
• c23558a chore: update all url references of vitejs.dev to vite.dev (#18276)
• Additional commits viewable in compare view