Executive Summary

CVE-2026-39365 is a path traversal vulnerability in the Vite development server affecting versions 6.4.1 and below, 7.0.0 through 7.3.1, and 8.0.0 through 8.0.4. The issue occurs when the server handles requests for .map files in optimized dependencies. It resolves file paths and reads files without properly restricting '../' segments in the URL, allowing an attacker to bypass the server's file system restrictions and retrieve .map files located outside the project root directory, as long as those files contain valid source map JSON.

This vulnerability only affects applications that expose the Vite dev server to the network (for example, by using the --host flag or server.host configuration). The vulnerability is fixed in versions 6.4.2, 7.3.2, and 8.0.5.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to remotely access .map files located outside the project root directory by exploiting path traversal sequences in URL requests. If sensitive information is present in these .map files with predictable paths, it could be exposed to unauthorized actors.

The impact on confidentiality is considered low, as it only exposes .map files. There is no impact on integrity or availability. However, the exposure of sensitive source map files could reveal internal source code details or other information that might aid further attacks.

Exploitation requires that the Vite dev server is explicitly exposed to the network, which is not the default configuration.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access .map files outside the project root directory through the Vite dev server's optimized dependencies .map file path, using path traversal sequences (../) in the URL.

A proof of concept involves creating a minimal source map file outside the project root (for example, /tmp/poc.map), starting the Vite dev server with network exposure enabled (e.g., using the --host flag or server.host configuration), and then sending HTTP requests that include ../ segments in the URL path to try to retrieve that .map file.

Example commands to test this might include using curl or wget to request a .map file with path traversal sequences, such as:

• curl http://<vite-server-host>:<port>/node_modules/.vite/deps/../../../../tmp/poc.map
• wget http://<vite-server-host>:<port>/node_modules/.vite/deps/../../../../tmp/poc.map

If the server returns the contents of the .map file located outside the project root, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the Vite development server to a patched version where the issue is fixed.

• Upgrade to Vite version 6.4.2, 7.3.2, or 8.0.5 or later.
• If using vite-plus, upgrade to version 0.1.16 or later.

Additionally, avoid exposing the Vite dev server to the network unless necessary, as the vulnerability requires network exposure (e.g., via the --host flag or server.host configuration).

Ensure that sensitive .map files are not accessible or do not contain sensitive information if the dev server must be exposed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized access to .map files located outside the project root by bypassing path restrictions, potentially exposing sensitive information contained in those files.

Exposure of sensitive information to unauthorized actors can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding of confidential data and prevention of unauthorized access.

Therefore, if the exposed .map files contain personal or sensitive data, this vulnerability could result in violations of these standards due to inadequate access controls and information disclosure.

Useful 0 Not Useful 0