Vite Cross-Site WebSocket Hijacking and CORS Vulnerability

A vulnerability in Vite, a frontend tooling framework for JavaScript, allows any website to send requests to the Vite development server and read the responses. This issue arises from default Cross-Origin Resource Sharing (CORS) settings that permit all origins and a lack of validation on the Origin header for WebSocket connections. The vulnerability affects Vite versions 6.0.0 through 6.0.8, 5.0.0 through 5.4.11, and 4.0.0 through 4.5.5. It is important to note that this vulnerability can be exploited even when the Vite development server is running locally and not exposed to the network.

Impact

Exploitation of this vulnerability can lead to Cross-Site WebSocket Hijacking (CSWSH) attacks, where an attacker can read and write messages over the WebSocket connection. This is particularly concerning for users of Vite plugins that send or respond to WebSocket messages, as sensitive information could be exposed or functionalities misused.

Reproduction

To reproduce this vulnerability, first create a new Vite project using the React template, which includes Hot Module Replacement (HMR) functionality. Once the project is set up, run the Vite development server. Then, serve a malicious HTML page from a different server that establishes a WebSocket connection to the Vite server without the proper Origin validation. When the connection is made, the malicious page can intercept WebSocket messages, including HMR updates and potentially sensitive information from Vite plugins.

Remediation

Users can upgrade to Vite versions 6.0.9, 5.4.12, or 4.5.6, depending on their current version. For those using the backend integration feature, it's important to specify the origin of the backend server in the Vite configuration. If a reverse proxy is used, the hostname must be added to the server.allowedHosts option. Users accessing the development server via a domain other than localhost should also update the server.allowedHosts option. For plugins that connect to the WebSocket server, upgrading Vite or adjusting the plugin code may be necessary.