Description
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Published: 2026-04-07
Score: 6.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: Path Traversal exposing source map files
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to retrieve source map files that reside outside the project root by manipulating the URL path sent to a Vite development server. When the server processes a .map request, it resolves the requested file path without removing relative "../" segments, then directly reads the file without enforcing the strict file‑system allow list. As a result, an adversary can obtain any source map JSON that can be parsed from directories beyond the intended project boundaries, potentially revealing source code or development information. This weakness corresponds to the directory traversal flaw described by CWE‑22.

Affected Systems

Vite releases from 6.0.0 up to but excluding 6.4.2, all releases before 7.3.2, and all releases before 8.0.5 are affected. The flaw is in the core Vite framework and its extensions managed by the vitejs organization, including vite-plus. Any deployment that runs the development server with one of these versions is vulnerable.

Risk and Exploitability

The CVSS score of 6.3 classifies this as moderate severity. The EPSS score of 1% indicates a low but nonzero probability that the vulnerability is exploited. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the likely attack vector would be an unauthenticated HTTP request sent to the development server, which typically serves only local developers but could be exposed to external networks. An attacker exploiting this flaw could read arbitrary source map files outside the project, exposing internal code and debugging data. While no public exploit has been reported, the potential for source disclosure makes timely remediation important.

Generated by OpenCVE AI on April 17, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vite to version 6.4.2 or later, 7.3.2 or later, or 8.0.5 or later.
  • If an upgrade is not immediately possible, restrict access to the development server to trusted IP ranges or keep it on localhost only.
  • Ensure that the server.fs.strict allow list is enabled and not overridden.
  • Verify that source map files are not served through other routes or exposed unintentionally.
  • Apply any vendor patches or updates as they become available.

Generated by OpenCVE AI on April 17, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4w7w-66w2-5vf9 Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
History

Thu, 30 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Voidzero
Voidzero vite\+
CPEs cpe:2.3:a:vitejs:vite-plus:*:*:*:*:*:node.js:*:* cpe:2.3:a:voidzero:vite\+:*:*:*:*:*:node.js:*:*
Vendors & Products Voidzero
Voidzero vite\+

Wed, 15 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vitejs:vite-plus:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Vitejs
Vitejs vite
Vitejs vite-plus
Vendors & Products Vitejs
Vitejs vite
Vitejs vite-plus

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Title Vite has a Path Traversal in Optimized Deps `.map` Handling
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vitejs Vite Vite-plus
Voidzero Vite\+
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:23:24.501Z

Reserved: 2026-04-06T21:29:17.349Z

Link: CVE-2026-39365

cve-icon Vulnrichment

Updated: 2026-04-09T18:10:58.989Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:30.350

Modified: 2026-04-30T18:34:09.230

Link: CVE-2026-39365

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T19:13:50Z

Links: CVE-2026-39365 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses