CVE-2026-39364
Directory Traversal in Vite Dev Server Allows Unauthorized File Access
Publication date: 2026-04-07
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vitejs | vite | From 7.0.0 (inc) to 7.3.1 (inc) |
| vitejs | vite | From 8.0.0 (inc) to 8.0.4 (inc) |
| voidzero | vite+ | to 0.1.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-180 | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to high confidentiality loss by allowing unauthorized remote access to sensitive files such as .env and certificate files (*.crt) on the Vite development server. Exposure of such sensitive configuration files can result in the disclosure of personal data or security credentials.
Because it enables unauthorized disclosure of sensitive information, this vulnerability can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access.
Organizations using affected versions of Vite that expose the dev server to the network without proper patching may risk non-compliance due to inadequate access controls and potential data breaches.
Can you explain this vulnerability to me?
CVE-2026-39364 is a high-severity vulnerability in the Vite development server affecting versions from 7.1.0 to before 7.3.2 and 8.0.0 to 8.0.4. It allows an attacker to bypass the server.fs.deny configuration, which is meant to block access to sensitive files such as .env or *.crt files.
The vulnerability occurs because when certain query parameters like ?raw, ?import&raw, or ?import&url&inline are appended to the URL, these sensitive files can be retrieved with HTTP 200 responses, despite being denied by the server configuration.
This issue affects applications that expose the Vite dev server to the network and have sensitive files in directories allowed by server.fs.allow but also matched by deny patterns in server.fs.deny. The root cause involves improper input validation order and insufficient access control.
How can this vulnerability impact me? :
This vulnerability can lead to a high confidentiality loss because sensitive files that should be blocked can be accessed remotely without any privileges or user interaction.
Attackers can retrieve sensitive configuration files such as environment variables (.env) or certificate files (*.crt) by exploiting this flaw, potentially exposing secrets, credentials, or private keys.
The attack complexity is low and it can be exploited remotely over the network if the Vite dev server is exposed, making it a significant risk for development environments.
There is no impact on integrity or availability, but the confidentiality breach can lead to further attacks or data leaks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing access to files that should be blocked by the Vite dev server's server.fs.deny configuration, such as .env or *.crt files.
You can start the Vite dev server with network exposure enabled (e.g., using the --host flag) and then attempt to access a denied file directly, which should return HTTP 403.
Next, append query parameters like ?raw, ?import&raw, or ?import&url&inline to the URL of the denied file and check if the server returns an HTTP 200 response with the file contents.
For example, using curl commands:
- curl -i http://<vite-server-host>/path/to/.env # Expect HTTP 403
- curl -i http://<vite-server-host>/path/to/.env?raw # If HTTP 200 and file contents returned, vulnerability exists
- curl -i http://<vite-server-host>/path/to/.env?import&raw
- curl -i http://<vite-server-host>/path/to/.env?import&url&inline
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Vite dev server to a patched version where this vulnerability is fixed.
- Upgrade to Vite version 7.3.2 or later if using the 7.x series.
- Upgrade to Vite version 8.0.5 or later if using the 8.x series.
- If using vite-plus, upgrade to version 0.1.16 or later.
Additionally, avoid exposing the Vite dev server to the network (do not use the --host flag or server.host configuration) unless necessary, to reduce the attack surface.