Skip to content

fix: bump vite to >=7.3.2 to resolve CVE-2026-39363 and CVE-2026-39364#255

Open
Hale730 wants to merge 1 commit into
cloudflare:mainfrom
Hale730:hporter/fix-vite-cve
Open

fix: bump vite to >=7.3.2 to resolve CVE-2026-39363 and CVE-2026-39364#255
Hale730 wants to merge 1 commit into
cloudflare:mainfrom
Hale730:hporter/fix-vite-cve

Conversation

@Hale730

@Hale730 Hale730 commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

What

Upgrades vite from 7.3.1 to 7.3.2 to fix two HIGH severity CVEs that were blocking CI.

Why

The Semgrep security scan was blocking on:

  • CVE-2026-39363 — Vite's dev server WebSocket exposes fetchModule, letting unauthenticated attackers read arbitrary files from the host
  • CVE-2026-39364 — Vite's dev server can bypass server.fs.deny, leaking sensitive files like .env via query params like ?raw or ?import&raw

Both fixed in vite 7.3.2.

How

An override was already in package.json ("overrides": { "vite": "^8" }) but was never taking effect — pnpm v10 no longer reads overrides from package.json. The correct location is pnpm-workspace.yaml.

  • Removed the non-functional overrides block from package.json
  • Added overrides: { vite: ">=7.3.2" } to pnpm-workspace.yaml
  • Regenerated pnpm-lock.yaml[email protected] is gone, only 7.3.2 remains

Stayed on 7.x rather than 8.x because @vitejs/[email protected] only supports vite 4–7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant