Executive Summary

CVE-2026-39364 is a high-severity vulnerability in the Vite development server affecting versions from 7.1.0 to before 7.3.2 and 8.0.0 to 8.0.4. It allows an attacker to bypass the server.fs.deny configuration, which is meant to block access to sensitive files such as .env or *.crt files.

The vulnerability occurs because when certain query parameters like ?raw, ?import&raw, or ?import&url&inline are appended to the URL, these sensitive files can be retrieved with HTTP 200 responses, despite being denied by the server configuration.

This issue affects applications that expose the Vite dev server to the network and have sensitive files in directories allowed by server.fs.allow but also matched by deny patterns in server.fs.deny. The root cause involves improper input validation order and insufficient access control.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a high confidentiality loss because sensitive files that should be blocked can be accessed remotely without any privileges or user interaction.

Attackers can retrieve sensitive configuration files such as environment variables (.env) or certificate files (*.crt) by exploiting this flaw, potentially exposing secrets, credentials, or private keys.

The attack complexity is low and it can be exploited remotely over the network if the Vite dev server is exposed, making it a significant risk for development environments.

There is no impact on integrity or availability, but the confidentiality breach can lead to further attacks or data leaks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing access to files that should be blocked by the Vite dev server's server.fs.deny configuration, such as .env or *.crt files.

You can start the Vite dev server with network exposure enabled (e.g., using the --host flag) and then attempt to access a denied file directly, which should return HTTP 403.

Next, append query parameters like ?raw, ?import&raw, or ?import&url&inline to the URL of the denied file and check if the server returns an HTTP 200 response with the file contents.

For example, using curl commands:

• curl -i http://<vite-server-host>/path/to/.env # Expect HTTP 403
• curl -i http://<vite-server-host>/path/to/.env?raw # If HTTP 200 and file contents returned, vulnerability exists
• curl -i http://<vite-server-host>/path/to/.env?import&raw
• curl -i http://<vite-server-host>/path/to/.env?import&url&inline

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Vite dev server to a patched version where this vulnerability is fixed.

• Upgrade to Vite version 7.3.2 or later if using the 7.x series.
• Upgrade to Vite version 8.0.5 or later if using the 8.x series.
• If using vite-plus, upgrade to version 0.1.16 or later.

Additionally, avoid exposing the Vite dev server to the network (do not use the --host flag or server.host configuration) unless necessary, to reduce the attack surface.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability leads to high confidentiality loss by allowing unauthorized remote access to sensitive files such as .env and certificate files (*.crt) on the Vite development server. Exposure of such sensitive configuration files can result in the disclosure of personal data or security credentials.

Because it enables unauthorized disclosure of sensitive information, this vulnerability can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access.

Organizations using affected versions of Vite that expose the dev server to the network without proper patching may risk non-compliance due to inadequate access controls and potential data breaches.

Useful 0 Not Useful 0