[bug]: Update Vite dependency to patched version (GHSA-vg6x-rcgg-rjx6) #92
Description
What version of @strapi/sdk-plugin are you using?
Currently using @strapi/sdk-plugin@5.3.2
What's Wrong?
Security Vulnerability Report
The @strapi/sdk-plugin@5.3.2 package currently depends on a vulnerable version of Vite (5.4.8) through the following dependency chain:
@strapi/sdk-plugin@5.3.2
└─┬ @strapi/pack-up@5.1.0
├─┬ @vitejs/plugin-react-swc@3.7.0
│ └── vite@5.4.8
└── vite@5.4.8
Vulnerability Details
- CVE/GHSA: GHSA-vg6x-rcgg-rjx6
- Type: Cross-site WebSocket Hijacking & insecure CORS configuration
- Severity: Moderate (CVSS 6.5)
- Fixed Version: Vite 5.4.12 or higher
Impact
This vulnerability allows any malicious website a developer visits to:
- Access source code directly from the Vite dev server via localhost
- Read WebSocket messages containing file paths and potentially sensitive code
- Monitor file changes and error messages through the WebSocket connection
- While this only affects development environments (not production builds), it represents a significant risk for developers working with proprietary or sensitive code bases who may browse the web while running the dev server.
To Reproduce
The vulnerability is present in any project using the affected version when:
- A developer runs the Vite dev server locally (e.g., during development)
- The same developer visits a malicious or compromised website in another browser tab
- The malicious site can then read source code and WebSocket messages from the local dev server
Expected Behaviour
Please update use of Vite ≥5.4.12, which has patched this vulnerability.