Description
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.
Published: 2026-04-23
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file write via path traversal
Action: Immediate Patch
AI Analysis

Impact

Vite+ is a web development toolchain that, before version 0.1.17, allowed callers to trigger the function downloadPackageManager() with an untrusted version string. The function used that string directly to construct filesystem paths inside VP_HOME/package_manager/<pm>/, but it did not sanitize or resolve relative components. A malicious caller can embed ‘../’ segments or an absolute path, causing the function to write to arbitrary locations outside the intended cache directory. These writes can delete, replace, or populate directories that are not part of the VP_HOME tree, potentially compromising the host filesystem or installing arbitrary code.

Affected Systems

Affected product is vite-plus from the voidzero-dev repository. Versions released before 0.1.17 are vulnerable. Later releases, including 0.1.17 and above, incorporate a patch that sanitizes the input path.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability. The EPSS score of less than 1 % suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Because the function accepts a user‑provided parameter, the attack can be carried out by any caller that can invoke downloadPackageManager(). If the tool is exposed through a network service, remote actors could exploit it; otherwise, an attacker with local access could craft the request. The primary vector is a malicious input supplied to the downloadPackageManager() function, leading to path traversal and arbitrary file writes.

Generated by OpenCVE AI on April 28, 2026 at 15:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vite+ to version 0.1.17 or later to apply the vendor’s path‑sanitization patch.
  • If an immediate upgrade is not possible, validate the version parameter to reject any values containing ‘..’ or absolute path separators, ensuring that only legitimate semantic‑version strings are accepted.
  • Run Vite+ with the least privilege principle, restricting the process’s write permissions to the VP_HOME directory and preventing writes to system locations.

Generated by OpenCVE AI on April 28, 2026 at 15:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-33r3-4whc-44c2 Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME
History

Wed, 29 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Voidzero
Voidzero vite\+
CPEs cpe:2.3:a:voidzero:vite\+:*:*:*:*:*:node.js:*:*
Vendors & Products Voidzero
Voidzero vite\+
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Voidzero-dev
Voidzero-dev vite-plus
Vendors & Products Voidzero-dev
Voidzero-dev vite-plus

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, `downloadPackageManager()` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments or an absolute path to escape the `VP_HOME/package_manager/<pm>/` cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.
Title `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H'}

Subscriptions

Voidzero Vite\+
Voidzero-dev Vite-plus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T12:32:17.823Z

Reserved: 2026-04-18T02:51:52.975Z

Link: CVE-2026-41211

cve-icon Vulnrichment

Updated: 2026-04-23T12:32:07.490Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T02:16:18.860

Modified: 2026-04-29T15:49:45.557

Link: CVE-2026-41211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses