Skip to content

chore(deps): update dependency vite-plugin-static-copy to v3.1.2 [security]#2101

Open
renovate[bot] wants to merge 1 commit intodevfrom
renovate/npm-vite-plugin-static-copy-vulnerability
Open

chore(deps): update dependency vite-plugin-static-copy to v3.1.2 [security]#2101
renovate[bot] wants to merge 1 commit intodevfrom
renovate/npm-vite-plugin-static-copy-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Aug 21, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
vite-plugin-static-copy 3.0.03.1.2 age confidence

GitHub Vulnerability Alerts

CVE-2025-57753

Summary

Files not included in src was possible to access with a crafted request.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Arbitrary files can be disclosed by exploiting this vulnerability.

Details

Consider the following configuration in used by vite.config.ts:

import { defineConfig } from 'vite'
import { viteStaticCopy } from 'vite-plugin-static-copy'

export default defineConfig({
    plugins: [
      viteStaticCopy({
        targets: [
          {
            src: "./public/images",
            dest: "./",
          },
        ],
      }),
    ],
  });

The files under the ./public/images is only expected to be served. Abusing this vulnerability, an attacker can access arbitrary files on the filesystem.

PoC

I've attached a demo app to showcase the bug.

Run it with npm run dev and issue the following HTTP request

GET /static/images/../../../../../../../etc/passwd HTTP/1.1
Host: localhost:3001
Content-Length: 2

OR

curl --path-as-is -i -s -k -X $'GET' \
    -H $'Host: localhost:3001' -H $'Content-Length: 2' \
    --data-binary $'\x0d\x0a' \
    $'http://localhost:3001/static/images/../../../../../../../etc/passwd'

Observe that the /etc/passwd file is included in the response.

Screenshot 2025-08-16 at 10 27 11 PM
Severity
  • CVSS Score: 6.0 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Release Notes

sapphi-red/vite-plugin-static-copy (vite-plugin-static-copy)

v3.1.2

Compare Source

Patch Changes

v3.1.1

Compare Source

Patch Changes

v3.1.0

Compare Source

Minor Changes

v3.0.2

Compare Source

Patch Changes

v3.0.1

Compare Source

Patch Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner August 21, 2025 19:53
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Aug 21, 2025
@netlify
Copy link
Copy Markdown

netlify bot commented Aug 21, 2025
edited
Loading

Deploy Preview for kleros-v2-neo failed. Why did it fail? →

Name Link
🔨 Latest commit d48d83c
🔍 Latest deploy log https://app.netlify.com/projects/kleros-v2-neo/deploys/69d937ef64ab4d00086a5950

@netlify
Copy link
Copy Markdown

netlify bot commented Aug 21, 2025
edited
Loading

Deploy Preview for kleros-v2-university failed. Why did it fail? →

Name Link
🔨 Latest commit 01a38f6
🔍 Latest deploy log https://app.netlify.com/projects/kleros-v2-university/deploys/68c9a433fa4a780008fe97a2

@netlify
Copy link
Copy Markdown

netlify bot commented Aug 21, 2025
edited
Loading

Deploy Preview for kleros-v2-testnet ready!

Name Link
🔨 Latest commit d48d83c
🔍 Latest deploy log https://app.netlify.com/projects/kleros-v2-testnet/deploys/69d937efa526b40008f2e87b
😎 Deploy Preview https://deploy-preview-2101--kleros-v2-testnet.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Aug 21, 2025
edited
Loading

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (1)
  • chore(deps):

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@netlify
Copy link
Copy Markdown

netlify bot commented Aug 21, 2025
edited
Loading

Deploy Preview for kleros-v2-testnet-devtools failed. Why did it fail? →

Name Link
🔨 Latest commit d48d83c
🔍 Latest deploy log https://app.netlify.com/projects/kleros-v2-testnet-devtools/deploys/69d937ef0b4ead0008936696

@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 5 times, most recently from ac37d04 to f714aba Compare August 27, 2025 04:04
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 7 times, most recently from 8989296 to cad782e Compare September 4, 2025 23:40
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 2 times, most recently from b1d0576 to 5464187 Compare September 11, 2025 02:31
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 3 times, most recently from bc256a1 to dd1fd7b Compare September 23, 2025 11:09
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 3 times, most recently from 94fa0a7 to 7cb9d42 Compare September 30, 2025 18:05
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 2 times, most recently from ac94285 to c2df71d Compare October 7, 2025 16:57
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 3 times, most recently from d7f3fe9 to 31e4ad2 Compare December 12, 2025 19:29
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 6 times, most recently from 3a1e0b4 to 4d1ee0f Compare December 23, 2025 22:02
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 3 times, most recently from 0664610 to 544e709 Compare December 31, 2025 20:10
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 4 times, most recently from 0a01a4d to 81767ba Compare January 14, 2026 11:40
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 9 times, most recently from ae33d6c to 39249fd Compare January 21, 2026 14:16
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch from 39249fd to 7a36012 Compare February 2, 2026 21:13
@renovate renovate bot force-pushed the renovate/npm-vite-plugin-static-copy-vulnerability branch 2 times, most recently from 61816d6 to a9e4777 Compare February 16, 2026 11:36
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 10, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jaybuidl jaybuidl

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jaybuidl