chore(deps): update dependency vite to v7.3.2 [security]#982
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency vite to v7.3.2 [security]#982renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
✅ Deploy Preview for vue-devtools-docs canceled.
|
@vue/devtools-applet
@vue/devtools-core
@vue/devtools
@vue/devtools-api
@vue/devtools-kit
@vue/devtools-electron
@vue/devtools-shared
@vue/devtools-ui
vite-plugin-vue-devtools
commit: |
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
October 21, 2025 21:43
fc39183 to
52b1e3d
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
November 10, 2025 15:51
52b1e3d to
41af714
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
November 17, 2025 16:14
41af714 to
1cfb4b8
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
December 3, 2025 19:01
1cfb4b8 to
30fe956
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
December 31, 2025 16:43
30fe956 to
dd02c10
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
January 8, 2026 19:16
dd02c10 to
b6b09bc
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
2 times, most recently
from
January 23, 2026 19:00
f88519b to
e1df4dd
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 2, 2026 20:06
e1df4dd to
77502a3
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 5, 2026 14:17
77502a3 to
587b1aa
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 5, 2026 18:01
587b1aa to
8ec93b2
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 7, 2026 01:56
8ec93b2 to
89a6506
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 7, 2026 05:57
89a6506 to
8151e33
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 10, 2026 02:34
8151e33 to
80a23d5
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
2 times, most recently
from
February 10, 2026 05:36
c7ccdde to
d80a2e6
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 11, 2026 01:13
d80a2e6 to
0edc475
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 11, 2026 05:13
0edc475 to
4e98c04
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 25, 2026 04:58
e67af02 to
b410422
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 28, 2026 11:01
b410422 to
2b59fc6
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
February 28, 2026 13:02
2b59fc6 to
9123413
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 1, 2026 06:54
9123413 to
12bdbed
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 1, 2026 20:58
12bdbed to
a76657e
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 5, 2026 10:34
a76657e to
efb9352
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 5, 2026 13:38
efb9352 to
10df489
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 5, 2026 20:47
10df489 to
767c959
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 6, 2026 00:51
767c959 to
52ea8df
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 6, 2026 04:29
52ea8df to
a09fb0a
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 6, 2026 06:18
a09fb0a to
6cfe213
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 8, 2026 08:20
6cfe213 to
f080377
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
from
March 8, 2026 12:46
f080377 to
b6a87df
Compare
renovate
Bot
force-pushed
the
renovate/npm-vite-vulnerability
branch
2 times, most recently
from
March 13, 2026 00:31
69ea898 to
a6942b2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.1.10→7.3.2vite allows server.fs.deny bypass via backslash on Windows
CVE-2025-62522 / GHSA-93m4-6634-74q7
More information
Details
Summary
Files denied by
server.fs.denywere sent if the URL ended with\when the dev server is running on Windows.Impact
Only apps that match the following conditions are affected:
server.hostconfig option)Details
server.fs.denycan contain patterns matching against files (by default it includes.env,.env.*,*.{crt,pem}as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is thatfs.readFile('/foo.png/')loads/foo.png.PoC
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Vite:
server.fs.denybypassed with queriesCVE-2026-39364 / GHSA-v2wj-q39q-566r
More information
Details
Summary
The contents of files that are specified by
server.fs.denycan be returned to the browser.Impact
Only apps that match the following conditions are affected:
--hostorserver.hostconfig option)server.fs.allowserver.fs.denyDetails
On the Vite dev server, files that should be blocked by
server.fs.deny(e.g.,.env,*.crt) can be retrieved with HTTP 200 responses when query parameters such as?raw,?import&raw, or?import&url&inlineare appended.PoC
pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPortserver.fs.denyis enforced (expect 403):curl -i http://127.0.0.1:5175/src/.env | head -n 20Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
CVE-2026-39363 / GHSA-p9ff-h696-f583
More information
Details
Summary
server.fscheck was not enforced to thefetchModulemethod that is exposed in Vite dev server's WebSocket.Impact
Only apps that match the following conditions are affected:
--hostorserver.hostconfig option)server.ws: falseArbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.
Details
If it is possible to connect to the Vite dev server’s WebSocket without an
Originheader, an attacker can invokefetchModulevia the custom WebSocket eventvite:invokeand combinefile://...with?raw(or?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g.,export default "...").The access control enforced in the HTTP request path (such as
server.fs.allow) is not applied to this WebSocket-based execution path.PoC
Start the dev server on the target
Example (used during validation with this repository):
pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173Confirm that access is blocked via the HTTP path (example: arbitrary file)
curl -i 'http://localhost:5173/@​fs/etc/passwd?raw'Result:

403 Restricted(outside the allow list)Confirm that the same file can be retrieved via the WebSocket path
By connecting to the HMR WebSocket without an
Originheader and sending avite:invokerequest that callsfetchModulewith afile://...URL and?raw, the file contents are returned as a JavaScript module.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Vite Vulnerable to Path Traversal in Optimized Deps
.mapHandlingCVE-2026-39365 / GHSA-4w7w-66w2-5vf9
More information
Details
Summary
Any files ending with
.mapeven out side the project can be returned to the browser.Impact
Only apps that match the following conditions are affected:
--hostorserver.hostconfig option).mapand the path is predictableDetails
In Vite v7.3.1, the dev server’s handling of
.maprequests for optimized dependencies resolves file paths and callsreadFilewithout restricting../segments in the URL. As a result, it is possible to bypass theserver.fs.strictallow list and retrieve.mapfiles located outside the project root, provided they can be parsed as valid source map JSON.PoC
/@​fsaccess is blocked bystrict(returns 403)../segments under the optimized deps.mapURL prefix to reach/tmp/poc.mapSeverity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitejs/vite (vite)
v7.3.2Compare Source
Please refer to CHANGELOG.md for details.
v7.3.1Compare Source
Please refer to CHANGELOG.md for details.
v7.3.0Compare Source
Please refer to CHANGELOG.md for details.
v7.2.7Compare Source
v7.2.6Compare Source
7.2.6 (2025-12-01)
v7.2.4Compare Source
Bug Fixes
v7.2.3Compare Source
Bug Fixes
bindCLIShortcutscalls with shortcut merging (#21103) (5909efd)Performance Improvements
Miscellaneous Chores
v7.2.2Compare Source
Bug Fixes
v7.2.1Compare Source
Bug Fixes
Code Refactoring
indexOfMatchInSlicetofindPreloadMarker(#21054) (f83264f)v7.2.0Compare Source
Bug Fixes
getBuiltinsresponse JSON serializable (#21029) (ad5b3bf)Miscellaneous Chores
v7.1.12Compare Source
Please refer to CHANGELOG.md for details.
v7.1.11Compare Source
Bug Fixes
server.fs.denycheck (#20968) (f479cc5)Miscellaneous Chores
Code Refactoring
Build System
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.