Executive Summary

CVE-2026-53632 is a vulnerability in the launch-editor NPM package that affects Windows systems. The package allows users to open files with line numbers from Node.js, but prior to version 2.14.1, it could access arbitrary paths including Windows UNC paths (network paths like \\attacker-host\share). When such a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, which causes the user's NTLMv2 password hash to be leaked to an attacker-controlled SMB server.

This leaked hash can then be used by an attacker to perform offline cracking attacks to compromise user credentials. The vulnerability can be exploited by tricking a user into accessing a malicious website that triggers the launch-editor middleware to open a UNC path controlled by the attacker. No elevated privileges or user interaction beyond accessing the link are required.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the compromise of user credentials through the leakage of NTLMv2 password hashes. If an attacker obtains these hashes, they can attempt offline cracking to recover the actual passwords, especially if the passwords are weak.

Credential compromise can then impact the confidentiality, integrity, and availability of systems and data that rely on those credentials. This could allow attackers to gain unauthorized access to systems, escalate privileges, or perform further attacks within a network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the launch-editor NPM package accessing arbitrary Windows UNC paths, which causes Windows to attempt NTLM authentication and leak NTLMv2 password hashes to an attacker-controlled SMB server.

To detect this vulnerability on your network or system, monitor for unusual outbound SMB authentication attempts to unknown or suspicious remote hosts, especially those initiated by processes related to launch-editor or Node.js applications.

You can use network monitoring tools or commands to detect such activity. For example:

• Use Windows Event Viewer to check for SMB authentication events (Event ID 4624 or 4776) that show connections to unexpected remote hosts.
• Use network capture tools like Wireshark or tcpdump to filter SMB traffic and identify connections to suspicious UNC paths or SMB servers.
• On Windows, use PowerShell commands such as `Get-SmbSession` to list active SMB sessions and identify any unusual remote hosts.
• Check logs of Node.js applications or middleware using launch-editor for any attempts to open UNC paths.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the launch-editor NPM package to version 2.14.1 or later, where this vulnerability is fixed.

If you are using related packages such as vite or vite-plus, update them to the patched versions: vite 8.0.16, 7.3.5, or 6.4.3, and vite-plus 0.1.24.

Additionally, avoid opening or processing UNC paths from untrusted sources to prevent triggering NTLM authentication to attacker-controlled SMB servers.

Consider monitoring and restricting outbound SMB traffic to untrusted networks as a temporary control.

Useful 0 Not Useful 0