GHSA-v2wj-q39q-566r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v2wj-q39q-566r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v2wj-q39q-566r/GHSA-v2wj-q39q-566r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v2wj-q39q-566r
- Aliases
-
- CVE-2026-39364
- Downstream
- Related
- Published
- 2026-04-06T18:03:32Z
- Modified
- 2026-04-09T14:59:24.564819728Z
- Severity
-
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Vite: `server.fs.deny` bypassed with queries
- Details
-
Summary
The contents of files that are specified by
server.fs.denycan be returned to the browser.Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using
--hostorserver.hostconfig option) - the sensitive file exists in the allowed directories specified by
server.fs.allow - the sensitive file is denied with a pattern that matches a file by
server.fs.deny
Details
On the Vite dev server, files that should be blocked by
server.fs.deny(e.g.,.env,*.crt) can be retrieved with HTTP 200 responses when query parameters such as?raw,?import&raw, or?import&url&inlineare appended.PoC
- Start the dev server:
pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort - Confirm that
server.fs.denyis enforced (expect 403):curl -i http://127.0.0.1:5175/src/.env | head -n 20<img width="3944" height="1092" alt="image" src="https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f" /> - Confirm that the same files can be retrieved with query parameters (expect 200): <img width="2014" height="373" alt="image" src="https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8" />
- explicitly exposes the Vite dev server to the network (using
- Database specific
{ "github_reviewed_at": "2026-04-06T18:03:32Z", "nvd_published_at": "2026-04-07T20:16:30Z", "severity": "HIGH", "cwe_ids": [ "CWE-180", "CWE-284" ], "github_reviewed": true }- References
-
- https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r
- https://nvd.nist.gov/vuln/detail/CVE-2026-39364
- https://github.com/vitejs/vite/pull/22160
- https://github.com/vitejs/vite/commit/a9a3df299378d9cbc5f069e3536a369f8188c8ff
- https://github.com/vitejs/vite
- https://github.com/vitejs/vite/releases/tag/v7.3.2
- https://github.com/vitejs/vite/releases/tag/v8.0.5
Affected packages
npm / vite
Package
- Name
- vite
- View open source insights on deps.dev
- Purl
- pkg:npm/vite
npm / vite
Package
- Name
- vite
- View open source insights on deps.dev
- Purl
- pkg:npm/vite