Skip to content

Risk: Websites were able to send any requests to the development server and read the response in vite #35

New issue
New issue
Open
Open
Risk: Websites were able to send any requests to the development server and read the response in vite#35
Labels
enhancementNew feature or request
@radah19

Description

@radah19
radah19
opened on Jan 28, 2025

https://github.com/radah19/vibes-app/security/dependabot/2

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

There's a suggested AI fix I won't take too much to heart, but it seems the version of Vite this project is using was flagged at risk of being less secure with handling CORS.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions