GHSA-4w7w-66w2-5vf9

Suggest an improvement
Source
https://github.com/advisories/GHSA-4w7w-66w2-5vf9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4w7w-66w2-5vf9
Aliases
  • CVE-2026-39365
Downstream
Published
2026-04-06T18:03:46Z
Modified
2026-04-07T22:34:57.237466Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
Details

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

  1. Create a minimal PoC sourcemap outside the project root 
    cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF
  2. Start the Vite dev server (example) 
    pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
  3. Confirm that direct /@fs access is blocked by strict (returns 403) <img width="4004" height="1038" alt="image" src="https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab" />
  4. Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map <img width="2790" height="846" alt="image" src="https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2" />
Database specific 
{
    "cwe_ids": [
        "CWE-200",
        "CWE-22"
    ],
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-04-06T18:03:46Z",
    "nvd_published_at": "2026-04-07T20:16:30Z"
}
References

Affected packages

npm / vite

Package

Name
vite
View open source insights on deps.dev
Purl
pkg:npm/vite

Affected ranges

Type
SEMVER
Events
Introduced
8.0.0
Fixed
8.0.5

Database specific

last_known_affected_version_range 
"<= 8.0.4"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json"

npm / vite

Package

Name
vite
View open source insights on deps.dev
Purl
pkg:npm/vite

Affected ranges

Type
SEMVER
Events
Introduced
7.0.0
Fixed
7.3.2

Database specific

last_known_affected_version_range 
"<= 7.3.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json"

npm / vite

Package

Name
vite
View open source insights on deps.dev
Purl
pkg:npm/vite

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.4.2

Database specific

last_known_affected_version_range 
"<= 6.4.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json"