The vulnerability resides in the launch-editor module used within Vite, which transforms a file path and line number into a command to open the file in an editor. Prior to version 2.9.0, the module fails to properly sanitize the file argument, allowing an attacker to inject command line characters on Windows. As a result an attacker who can supply the filename can execute arbitrary commands with the privileges of the running Node.js process, representing a classic command injection flaw (CWE‑77). If exploited, the attacker could gain control over the host system or read/write arbitrary files, compromising confidentiality, integrity, and availability of the application and data.

The flaw affects the vitejs:launch-editor package and its ancestor vitejs:vite. All releases before launch‑editor 2.9.0 (which corresponds to Vite 5.4.9) are vulnerable. The issue is relevant to any Node.js application that imports launch-editor or calls its launchEditor method with a user‑controlled filename.

The CVSS score of 7.5 indicates high severity, while the EPSS score is not available, making it unclear how often the flaw is actively exploited. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at the time of the advisory. The attack vector requires that an attacker can influence the filename passed to launchEditor, typically through a user-facing API, CLI command, or malformed request. If such influence is possible, successful exploitation would allow remote code execution with the privileges of the Node.js process.