Description
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
Published: 2026-06-22
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

launch-editor is a Node.js package that lets users open a file at a specific line number in an editor. Before version 2.14.1, the package could resolve any file path, including Windows UNC paths. When a UNC path is opened, Windows initiates NTLM authentication to the target host. The authentication exchange leaks the user’s NTLMv2 hash to the SMB server that receives the request. An attacker who controls that SMB server can capture the hash and later crack it offline, resulting in credential compromise.

Affected Systems

The vulnerability affects the launch-editor NPM package from vitejs. Users of versions prior to 2.14.1—specifically vitejs:launch-editor, vitejs:vite, and vitejs:vite-plus—are impacted. Updating the package to 2.14.1 or later resolves the issue.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is not reported, which means an exact exploitation likelihood cannot be quantified from the available data. The vulnerability is not listed in CISA KEV. Exploitation requires the attacker to host a malicious SMB share and lure a victim into opening a UNC path via launch-editor; once the victim opens the path, the hash is transmitted. No additional prerequisites beyond the victim using the vulnerable package are stated, so the risk is limited to machines that run Node.js with the older launch-editor package.

Generated by OpenCVE AI on June 22, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade launch-editor to version 2.14.1 or later
  • Configure Node.js applications to disallow UNC paths or enforce path validation before delegating to launch-editor
  • Auditorily monitor SMB traffic for unauthorized NTLM authentication attempts and consider disabling NTLM from the network perimeter if feasible

Generated by OpenCVE AI on June 22, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v6wh-96g9-6wx3 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
Title NTLMv2 hash disclosure via UNC path handling on Windows
Weaknesses CWE-522
CWE-73
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:30:11.939Z

Reserved: 2026-06-09T20:16:59.647Z

Link: CVE-2026-53632

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials

  • CWE-73

    External Control of File Name or Path