We currently support the following versions with security updates:

If you discover a security vulnerability within this project, please send an email to the repository owner. All security vulnerabilities will be promptly addressed.

Affected versions: esbuild <= 0.24.2
Patched version: esbuild 0.25.0

Status: Fixed in project
This project was using esbuild v0.21.5 through vitest and vite dependencies. The package.json has been updated to enforce using esbuild v0.25.0 or newer.

Summary:
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details:
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

Mitigation:

1. The project now explicitly requires esbuild v0.25.0 or later
2. If you're running a forked version, check for esbuild in your dependency tree: npm ls esbuild
3. When using development servers, avoid exposing them to public networks

References:

• https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
• https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363