Vite >6.0.9 has CORS issue with laravel-vite

[VOBradley]

Describe the bug

After updating VITE to version 6.0.9 I get the following error when vite build

FULL ERROR:

error during build:
TypeError: Invalid URL
    at new URL (node:internal/url:796:36)
    at getAdditionalAllowedHosts (file:///C:/Users/vshchukin/Desktop/projects/ostore/ostore-api/node_modules/vite/dist/node/chunks/dep-BdTvomPN.js:37687:29)
    at resolveConfig (file:///C:/Users/vshchukin/Desktop/projects/ostore/ostore-api/node_modules/vite/dist/node/chunks/dep-BdTvomPN.js:53812:29)
    at async createBuilder (file:///C:/Users/vshchukin/Desktop/projects/ostore/ostore-api/node_modules/vite/dist/node/chunks/dep-BdTvomPN.js:51529:18)
    at async CAC.<anonymous> (file:///C:/Users/vshchukin/Desktop/projects/ostore/ostore-api/node_modules/vite/dist/node/cli.js:852:23)

Reproduction

https://o.kg

Steps to reproduce

set 6.0.9 vite version
npm install
npm run build

System Info

windows and ubuntu

Used Package Manager

npm

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[ioanmihalca-click]

i have the same problem

[nbalkandzhiyski]

Same here

[Josefikos]

Same for me.

Downgrade to 6.0.8 to hotfix this issue.
npm i [email protected]

[github-actions]

Hello @VOBradley. Please provide a minimal reproduction using a GitHub repository or StackBlitz. Issues marked with needs reproduction will be closed if they have no activity within 3 days.

[JapSeyz]

Same problem here, happens on Vite v4.5.7 but not on 4.5.5

[BnitoBzh]

Same problem here, but fixed (locally) by adding a server config on my vite.config.js file.

server: {
  origin: 'http://127.0.0.1:8000',
}

The issue comes after upgrading to [email protected]

[badri00100]

Facing the same kind of problem.

[muhsenmaqsudi]

same here on laravel projects downgraded to v6.0.8 fixed for me

[OliverGrimsley]

same issue for me, upgrade to 6.0.9 failed as described above, had to downgrade. In my case I am using laravel-vite-plugin (v1.1.1).

[rajanvalencia]

changed to "vite": "6.0.8"

[Lennard-vdm]

Downgrading your vite version to 6.0.8 is a temporality fix until they fix the bug.

npm i [email protected]

EDIT: Only do this if your project isnt live or just a personal local project
see: #19239 (comment)

[patak-dev]

Please share a minimal reproduction, it doesn't need to be from the OP. Downgrading to 6.0.8 represents a security risk, see GHSA-vg6x-rcgg-rjx6

[TurboDaan]

Security risk whatever, if u aint using a live project. Downgrading will help the current issue. It helped with my project at least.

[eXistenZNL]

Same in 4 separate different projects that got auto updated by Renovate to v6.0.9 today.

err error during build:
err TypeError [ERR_INVALID_URL]: Invalid URL
err at new NodeError (node:internal/errors:405:5)
err at new URL (node:internal/url:611:13)
err at getAdditionalAllowedHosts (file:///srv/node_modules/vite/dist/node/chunks/dep-BdTvomPN.js:37687:29)
[production] err at resolveConfig (file:///srv/node_modules/vite/dist/node/chunks/dep-BdTvomPN.js:53812:29)
[production] err at async createBuilder (file:///srv/node_modules/vite/dist/node/chunks/dep-BdTvomPN.js:51529:18)
[production] err at async CAC.<anonymous> (file:///srv/node_modules/vite/dist/node/cli.js:852:23)

[moehaidar26]

Found a dynamic temporary solution.
Just add
server: { origin: import.meta.url, }
to your vite.config.js

[CovertError]

server: { origin: import.meta.url, }

this doesnt work with me even when putting a static value

[OliverGrimsley]

[spoke to soon]

The @moehaidar26 solution does get the server to start, however, I cannot access the dev site, I get a CORS error
( laravel plugin environment (dynamic host)).

If that is a requirement now this should have been listed as a breaking change to the config file, as (I think) most of us only run this in dev, and hence do not really deal with CORS etc.

Had to revert back to .8

[CovertError]

import { defineConfig } from 'vite';
import laravel from 'laravel-vite-plugin';

export default defineConfig({
    server: { origin: import.meta.url},
    plugins: [
        laravel({
            input: [
                'resources/css/app.css', 'resources/js/app.js',
            ],
            refresh: true,
        }),
    ],
});

yes i had it in the wrong place it should be like this @moehaidar26 thanks

[bastihilger]

I don't know if this counts as a minimal reproduction... as a Laravel developer this is the easiest way:

1. Install a Laravel test project (Link)

You can use the minimum setup, no starter kit, no migrations. You do have to have some kind of development setup for PHP with Composer, though (like Laravel Herd or Laravel Valet).

2. cd into the project and run npm install && npm run build

As long as there is no newer version of vite out this will install vite 6.0.9 and the error "error during build: TypeError: Invalid URL..:" is thrown.

[hmawla]

It is a patched security issue.

The best solution for now is to use vite: 6.0.8 or vite: 5.4.11 or vite: 4.5.5.
just update your packages.json like so: "vite": "6.0.8"

However do note that this is just a temporary solution until we get a fix from vite team.

Reference: GHSA-vg6x-rcgg-rjx6

[dominikg]

@hmawla please update your post, the vulnerability is not about using dev-mode in a production deployment, but public websites being able to access a dev-server running on your workstation, eg when you are developing with the devserver open in one browser-tab and researching for a solution for a bug in a second tab.

[hmawla]

@hmawla please update your post, the vulnerability is not about using dev-mode in a production deployment, but public websites being able to access a dev-server running on your workstation, eg when you are developing with the devserver open in one browser-tab and researching for a solution for a bug in a second tab.

Thank you, I have updated my comment.

[wout-o]

The culprit appears to be the default value for server.origin in the laravel/vite-plugin.

An issue has already been opened.

[mostafaznv]

It is a patched security issue.

The best solution for now is to use vite: 6.0.8 or vite: 5.4.11 or vite: 4.5.5. just update your packages.json like so: "vite": "6.0.8"

However do note that this is just a temporary solution until we get a fix from vite team.

Reference: GHSA-vg6x-rcgg-rjx6

this worked for me. thank

[CovertError]

the issue still exits in Vite 6.0.9 not sure if there is another version

[patak-dev]

yes, #19241 was released in [email protected]

[patak-dev]

also released in 4.5.8, 5.4.13

[BnitoBzh]

This do not fix issue on Laravel without making additional configuration.
Running npm run dev works but now we get an error in the browser.

Access to script at 'http://[::1]:5173/resources/js/main.js' from origin 'http://localhost:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The configuration below must be set in vite.config.js

server: {
  cors: true
}

[OliverGrimsley]

This do not fix issue on Laravel without making additional configuration. Running npm run dev works but now we get an error in the browser.

In the laravel plugin thread a poster explained to add a server config.

In vite.config.js

import { defineConfig } from 'vite'
import laravel from 'laravel-vite-plugin'
import vue from '@vitejs/plugin-vue'
const domain = "example.test" // insert domain

export default defineConfig({
server: {
        origin: 'https://' + domain + ':5173',
        cors: true,
 },
...

This fixed mine ( should be clear, I am using valet and securing my local dev sites)

[sapphi-red]

Caution

Please note that setting server.cors: true will just nullify the security change and opt-in to exposing the source code to any websites. This is how browser handles requests to local sites and the only fix here is set a list of trusted origins to server.cors.origin.

---

For the case of Access to script at 'http://[::1]:5173/resources/js/main.js'... error, instead of server.cors: true, you should set the following config:

export default defineConfig({
  server: {
    cors: { origin: 'http://[::1]:5173' },
  }
})

if [::1]:5173 can be trusted (in this case, I guess the backend server is served on [::1]:5173 and you can trust that).

[sapphi-red]

should be clear, I am using valet and securing my local dev sites

I don't think any application can prevent the attack from happening unless that application modifies the browsers binaries, because it happens inside the browser.

[timacdonald]

For the Laravel users in the thread who are having CORS issues, I've prepared a fix in the laravel-vite-plugin that should resolve the issue for 80% of Laravel apps: laravel/vite-plugin#318

If you need special config, we recommend setting the server.cors.origin to the allowed origins. As @sapphi-red mentioned, setting it to true restores the vulnerability that Vite just patched (which is bonkers, btw!).

[timacdonald]

Although temporarily fixed within Vite itself, we also have a PR up to ensure that we are using a well-formed URL for the server.origin, which should fix the originally reported TypeError: Invalid URL error.

laravel/vite-plugin#317

[bluwy]

I've renamed the issue to be about laravel-vite-plugin as it's the main repro we have for this issue. Any other CORS behavior changes is likely related to the security fix breaking change as noted in GHSA-vg6x-rcgg-rjx6. I think we can close this once there's a fix in laravel-vite-plugin.

[spawn81]

I have this problem too and that's my quick fix:

upgraded Vite to 6.0.10
in vite.config.js
import { defineConfig, loadEnv } from 'vite';
const env = loadEnv('', '')

server: { cors: { origin: env.VITE_APP_URL }, },

and in laravel .env
VITE_APP_URL="${APP_URL}"

[timacdonald]

We have released v1.2.0 of the laravel-vite-plugin. Please update and please report any persisting issues on the laravel/vite-plugin repository.

Thanks!