CVE-2026-39365
Directory Traversal in Vite Dev Server Allows Source Map Disclosure
Publication date: 2026-04-07
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vitejs | vite | From 6.0.0 (inc) to 6.4.1 (inc) |
| vitejs | vite | From 7.0.0 (inc) to 7.3.1 (inc) |
| vitejs | vite | From 8.0.0 (inc) to 8.0.4 (inc) |
| voidzero | vite+ | to 0.1.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39365 is a path traversal vulnerability in the Vite development server affecting versions 6.4.1 and below, 7.0.0 through 7.3.1, and 8.0.0 through 8.0.4. The issue occurs when the server handles requests for .map files in optimized dependencies. It resolves file paths and reads files without properly restricting '../' segments in the URL, allowing an attacker to bypass the server's file system restrictions and retrieve .map files located outside the project root directory, as long as those files contain valid source map JSON.
This vulnerability only affects applications that expose the Vite dev server to the network (for example, by using the --host flag or server.host configuration). The vulnerability is fixed in versions 6.4.2, 7.3.2, and 8.0.5.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to .map files located outside the project root by bypassing path restrictions, potentially exposing sensitive information contained in those files.
Exposure of sensitive information to unauthorized actors can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding of confidential data and prevention of unauthorized access.
Therefore, if the exposed .map files contain personal or sensitive data, this vulnerability could result in violations of these standards due to inadequate access controls and information disclosure.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely access .map files located outside the project root directory by exploiting path traversal sequences in URL requests. If sensitive information is present in these .map files with predictable paths, it could be exposed to unauthorized actors.
The impact on confidentiality is considered low, as it only exposes .map files. There is no impact on integrity or availability. However, the exposure of sensitive source map files could reveal internal source code details or other information that might aid further attacks.
Exploitation requires that the Vite dev server is explicitly exposed to the network, which is not the default configuration.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access .map files outside the project root directory through the Vite dev server's optimized dependencies .map file path, using path traversal sequences (../) in the URL.
A proof of concept involves creating a minimal source map file outside the project root (for example, /tmp/poc.map), starting the Vite dev server with network exposure enabled (e.g., using the --host flag or server.host configuration), and then sending HTTP requests that include ../ segments in the URL path to try to retrieve that .map file.
Example commands to test this might include using curl or wget to request a .map file with path traversal sequences, such as:
- curl http://<vite-server-host>:<port>/node_modules/.vite/deps/../../../../tmp/poc.map
- wget http://<vite-server-host>:<port>/node_modules/.vite/deps/../../../../tmp/poc.map
If the server returns the contents of the .map file located outside the project root, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the Vite development server to a patched version where the issue is fixed.
- Upgrade to Vite version 6.4.2, 7.3.2, or 8.0.5 or later.
- If using vite-plus, upgrade to version 0.1.16 or later.
Additionally, avoid exposing the Vite dev server to the network unless necessary, as the vulnerability requires network exposure (e.g., via the --host flag or server.host configuration).
Ensure that sensitive .map files are not accessible or do not contain sensitive information if the dev server must be exposed.