CVE-2026-39365
Description
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitenpm | >= 8.0.0, < 8.0.5 | 8.0.5 |
vitenpm | >= 7.0.0, < 7.3.2 | 7.3.2 |
vitenpm | < 6.4.2 | 6.4.2 |
Affected products
2Patches
179f002f2286cfix: avoid path traversal with optimize deps sourcemap handler (#22161)
3 files changed · +22 −0
packages/vite/src/node/server/middlewares/transform.ts+4 −0 modified@@ -161,6 +161,10 @@ export function transformMiddleware( const sourcemapPath = url.startsWith(FS_PREFIX) ? fsPathFromId(url) : normalizePath(path.resolve(server.config.root, url.slice(1))) + // url may contain relative path that may resolve outside of the optimized deps directory + if (!depsOptimizer.isOptimizedDepFile(sourcemapPath)) { + return next() + } try { const map = JSON.parse( await fsp.readFile(sourcemapPath, 'utf-8'),
playground/fs-serve/__tests__/fs-serve.spec.ts+15 −0 modified@@ -90,6 +90,21 @@ describe.runIf(isServe)('invalid request', () => { target: path.posix.join('/@fs/', root, 'root/src/dummy.crt/') + '.', status: 'HTTP/1.1 403 Forbidden', }, + { + name: 'denied optimize deps sourcemap handler', + target: + path.posix.join('/@fs/', root) + + '/node_modules/.vite/deps/../../../unsafe.map', + status: 'HTTP/1.1 403 Forbidden', + }, + { + name: 'denied backslash optimize deps sourcemap handler', + target: + path.posix.join('/@fs/', root) + + '/node_modules/.vite/deps/..\\..\\..\\unsafe.map', + status: isWindows ? 'HTTP/1.1 403 Forbidden' : 'HTTP/1.1 200 OK', + content: isWindows ? undefined : 'Cache-Control: no-cache', + }, { name: 'HTML outside root with relative path', target: '/../unsafe.html',
playground/fs-serve/unsafe.map+3 −0 added@@ -0,0 +1,3 @@ +{ + "key": "unsafe" +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-4w7w-66w2-5vf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39365ghsaADVISORY
- github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694ghsaWEB
- github.com/vitejs/vite/pull/22161ghsaWEB
- github.com/vitejs/vite/releases/tag/v6.4.2ghsaWEB
- github.com/vitejs/vite/releases/tag/v7.3.2ghsaWEB
- github.com/vitejs/vite/releases/tag/v8.0.5ghsaWEB
News mentions
0No linked articles in our index yet.