[bug]: Security vulnerability - Vite versions below 5.4.12 are vulnerable

[jendcruz22]

Summary

OWASP security scans have identified that Vite versions below 5.4.12 are vulnerable (e.g., CVE-2025-24010 / GHSA-vg6x-rcgg-rjx6). @strapi/pack-up currently depends on Vite 5.4.8, which is affected by this vulnerability. Requesting a update of the Vite dependency to at least version 5.4.12 (or a later secure version) to mitigate this risk.

Details

Vite versions below 5.4.12 have known issues due to default permissive CORS settings and inadequate validation on WebSocket connections. This allows malicious websites to send arbitrary requests to the development server and potentially read sensitive responses.

Affected Versions: Vite 5.4.8 (current)

Patched Versions:

• For 4.v: >=4.5.6 <5.0.0
• For 5.x: ≥5.4.12 <6.0.0
• For 6.x: ≥6.0.9

Impact

If exploited, the vulnerability can allow unauthorized access to development server content, including:

• Source code exposure due to permissive CORS.
• Sensitive HMR (Hot Module Replacement) data leakage through WebSocket hijacking.
• Potential internal information disclosure.

Recommendation

Update the Vite dependency in @strapi/pack-up from version 5.4.8 to at least 5.4.12 (or a later secure version). This update will mitigate the vulnerability and protect downstream projects that rely on @strapi/pack-up.

What's Wrong?

Vite dependency version update from 5.4.8 to at least 5.4.12 (or a later secure version).

To Reproduce

Utilize an OWASP tool or similar for vulnerability tracking

Expected Behaviour

Resolved security vulnerabilites originating from strapi/pack-up