Skip to content

Vite has an server.fs.deny bypass with an invalid request-target #30095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ph360 opened this issue Apr 12, 2025 · 1 comment · Fixed by #30099
Closed

Vite has an server.fs.deny bypass with an invalid request-target #30095

ph360 opened this issue Apr 12, 2025 · 1 comment · Fixed by #30099
Assignees
@alan-agius4
Labels
area: @angular/build freq1: low Only reported by a handful of users who observe it rarely severity6: security type: bug/fix

Comments

@ph360
Copy link

ph360 commented Apr 12, 2025

Which @angular/* package(s) are the source of the bug?

upgrade

Is this a regression?

No

Description

moderate severity vulnerabilities

vite

Affected versions

= 6.2.0, < 6.2.6

Patched versions
6.2.6

In package-lock.json show me "vite": "6.2.5"

Note:
vite the dependencies of node_modules/@angular/build
"version": "19.2.7"

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

C:\pr360-portal-v3\pr360>npm audit
# npm audit report

vite  6.2.0 - 6.2.5
Severity: moderate
Vite has an `server.fs.deny` bypass with an invalid `request-target` - https://github.com/advisories/GHSA-356w-63v5-8wf4
fix available via `npm audit fix --force`
Will install @angular-devkit/[email protected], which is a breaking change
node_modules/@angular/build/node_modules/vite
  @angular/build  >=19.2.1
  Depends on vulnerable versions of vite
  node_modules/@angular/build
    @angular-devkit/build-angular  >=19.2.1
    Depends on vulnerable versions of @angular/build
    node_modules/@angular-devkit/build-angular

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Please provide the environment you discovered this bug in (run ng version)

Angular CLI: 19.2.7
Node: 22.14.0
Package Manager: npm 11.2.0
OS: win32 x64

Angular: 19.2.6
... common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, platform-server
... router

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1902.7
@angular-devkit/build-angular   19.2.7
@angular-devkit/core            19.2.7
@angular-devkit/schematics      19.2.7
@angular/cli                    19.2.7
@angular/ssr                    19.2.7
@schematics/angular             19.2.7
rxjs                            7.8.2
typescript                      5.7.3
zone.js                         0.15.0

Anything else?

it happens when create one new project angular 19.
@JeanMeche JeanMeche transferred this issue from angular/angular Apr 12, 2025
alan-agius4 added a commit to alan-agius4/angular-cli that referenced this issue Apr 14, 2025
@alan-agius4
fix(@angular/build): update vite to 6.2.6
2d1b2b7 
Closes angular#30095
@alan-agius4 alan-agius4 self-assigned this Apr 14, 2025
@alan-agius4 alan-agius4 added type: bug/fix freq1: low Only reported by a handful of users who observe it rarely severity6: security area: @angular/build labels Apr 14, 2025
@alan-agius4 alan-agius4 mentioned this issue Apr 14, 2025
Merged
@alan-agius4 alan-agius4 linked a pull request Apr 14, 2025 that will close this issue
fix(@angular/build): update vite to 6.2.6 #30099
Merged
alan-agius4 added a commit that referenced this issue Apr 15, 2025
@alan-agius4
fix(@angular/build): update vite to 6.2.6
8ab033e 
Closes #30095
@alan-agius4
Copy link
Collaborator

Closed via #30099

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alan-agius4 alan-agius4

Labels
area: @angular/build freq1: low Only reported by a handful of users who observe it rarely severity6: security type: bug/fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(@angular/build): update vite to 6.2.6 alan-agius4/angular-cli
2 participants
@alan-agius4 @ph360