Suggestions search

All statuses

Filter by:

With package: python314Packages.django-vite

Found 3 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-39364

created 1 week ago

Vite has a `server.fs.deny` bypass with queries

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

References

https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r x_refsource_CONFIRM

Affected products

vite

==>= 8.0.0, < 8.0.5
==>= 7.1.0, < 7.3.2

vite-plus

==< 0.1.16

Matching in nixpkgs

pkgs.vite

Visual Trace Explorer (ViTE), a tool to visualize execution traces

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.4
- nixos-25.11-small 1.4
- nixpkgs-25.11-darwin 1.4

pkgs.vitejs

Frontend tooling for NodeJS

nixos-unstable 7.3.1
- nixpkgs-unstable 7.3.1
- nixos-unstable-small 7.3.1

pkgs.vitess

Database clustering system for horizontal scaling of MySQL

nixos-unstable 23.0.3
- nixpkgs-unstable 23.0.3
- nixos-unstable-small 23.0.3
nixos-25.11 22.0.1
- nixos-25.11-small 22.0.1
- nixpkgs-25.11-darwin 22.0.1

pkgs.vitetris

Terminal-based Tetris clone by Victor Nilsson

nixos-unstable 0.59.1
- nixpkgs-unstable 0.59.1
- nixos-unstable-small 0.59.1
nixos-25.11 0.59.1
- nixos-25.11-small 0.59.1
- nixpkgs-25.11-darwin 0.59.1

pkgs.python312Packages.django-vite

Integration of ViteJS in a Django project

nixos-25.11 3.1.0
- nixos-25.11-small 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python313Packages.django-vite

Integration of ViteJS in a Django project

nixos-unstable 3.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0
nixos-25.11 3.1.0
- nixos-25.11-small 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python314Packages.django-vite

Integration of ViteJS in a Django project

nixos-unstable 3.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0

pkgs.vscode-extensions.vitest.explorer

Vitest extension for Visual Studio Code

nixos-unstable 1.50.0
- nixpkgs-unstable 1.50.0
- nixos-unstable-small 1.50.1

Package maintainers

@sephii Sylvain Fankhauser <sephi@fhtagn.top>
@urandom2 Colin Arnott <colin@urandom.co.uk>
@siers Raitis Veinbahs <veinbahs+nixpkgs@gmail.com>

Untriaged

Permalink CVE-2026-39365

created 1 week ago

Vite has a Path Traversal in Optimized Deps `.map` Handling

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

References

https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9 x_refsource_CONFIRM

Affected products

vite

==>= 8.0.0, < 8.0.5
==>= 6.0.0, < 6.4.2
==>= 7.0.0, < 7.3.2

vite-plus

==< 0.1.16

Matching in nixpkgs

pkgs.vite

Visual Trace Explorer (ViTE), a tool to visualize execution traces

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.4
- nixos-25.11-small 1.4
- nixpkgs-25.11-darwin 1.4

pkgs.vitejs

Frontend tooling for NodeJS

nixos-unstable 7.3.1
- nixpkgs-unstable 7.3.1
- nixos-unstable-small 7.3.1

pkgs.vitess

Database clustering system for horizontal scaling of MySQL

nixos-unstable 23.0.3
- nixpkgs-unstable 23.0.3
- nixos-unstable-small 23.0.3
nixos-25.11 22.0.1
- nixos-25.11-small 22.0.1
- nixpkgs-25.11-darwin 22.0.1

pkgs.vitetris

Terminal-based Tetris clone by Victor Nilsson

nixos-unstable 0.59.1
- nixpkgs-unstable 0.59.1
- nixos-unstable-small 0.59.1
nixos-25.11 0.59.1
- nixos-25.11-small 0.59.1
- nixpkgs-25.11-darwin 0.59.1

pkgs.python312Packages.django-vite

Integration of ViteJS in a Django project

nixos-25.11 3.1.0
- nixos-25.11-small 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python313Packages.django-vite

Integration of ViteJS in a Django project

nixos-unstable 3.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0
nixos-25.11 3.1.0
- nixos-25.11-small 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python314Packages.django-vite

Integration of ViteJS in a Django project

nixos-unstable 3.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0

pkgs.vscode-extensions.vitest.explorer

Vitest extension for Visual Studio Code

nixos-unstable 1.50.0
- nixpkgs-unstable 1.50.0
- nixos-unstable-small 1.50.1

Package maintainers

@sephii Sylvain Fankhauser <sephi@fhtagn.top>
@urandom2 Colin Arnott <colin@urandom.co.uk>
@siers Raitis Veinbahs <veinbahs+nixpkgs@gmail.com>

Untriaged

Permalink CVE-2026-39363

created 1 week ago

Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.