Moderate GHSA issue with vite dependency to @angular/build@19.2.18 and Vite 6.4.0

[Chewieez]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

There is a vulnerability in Vite 4.6.0 that affects Angular v19.

This was previously fixed in Angular v20.

Github Advisory link: vite allows server.fs.deny bypass via backslash on Windows

Minimal Reproduction

To reproduce run npm audit fix

# npm audit report

vite  6.0.0 - 6.4.0
Severity: moderate
vite allows server.fs.deny bypass via backslash on Windows - https://github.com/advisories/GHSA-93m4-6634-74q7
fix available via `npm audit fix --force`
Will install @angular/build@19.0.7, which is a breaking change
node_modules/vite
  @angular/build  19.1.0-next.0 - 20.1.0-rc.0
  Depends on vulnerable versions of vite
  node_modules/@angular/build

Exception or Error

Your Environment

Angular CLI: 19.2.17
Node: 20.12.2
Package Manager: npm 10.8.2
OS: darwin arm64

Angular: 19.2.15
... animations, common, compiler, compiler-cli, core, forms
... localize, platform-browser, platform-browser-dynamic, router

Package                      Version
------------------------------------------------------
@angular-devkit/architect    0.1902.17
@angular-devkit/core         19.2.17
@angular-devkit/schematics   19.2.17
@angular/build               19.2.17
@angular/cdk                 19.2.19
@angular/cli                 19.2.17
@angular/material            19.2.19
@schematics/angular          19.2.17
rxjs                         7.8.2
typescript                   5.8.3
zone.js                      0.15.1

Anything else relevant?

This was already reported in Angular v20 but it also affects Angular v19.

It is supposedly fixed in Vite 6.4.1

Report from Snyk:

SNYK-JS-VITE-13644406: Directory Traversal affecting vite package
Vulnerability | CVE-2025-62522 | CWE-22 | SNYK-JS-VITE-13644406
Fixed in: @5.4.21, 6.4.1, 7.0.8, 7.1.11 | Exploit maturity: MEDIUM

Overview
vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Directory Traversal via the server.fs.deny function. An attacker can access restricted files by appending a backslash to the URL when the development server is running on Windows and is explicitly exposed to the network.

[alan-agius4]

Closed via #31593

[ibakirov]

Same issue. Since fix already landed to v19.2.x branch, is v19.2.19 planned to be released?

[alan-agius4]

It has been just released.

[ibakirov]

@alan-agius4 Great, thanks for quick response!

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}