Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager() accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VP_HOME/package_manager/<pm>/ cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.
AnalysisAI
Path traversal in Vite+ downloadPackageManager() allows local attackers to write or delete arbitrary files outside the intended cache directory. The vulnerability affects Vite+ versions before 0.1.17 and stems from inadequate input validation on the version parameter, enabling directory traversal via '../' sequences or absolute paths. Attackers with local access can manipulate filesystem operations to compromise system integrity and availability (CVSS 8.4, VI:H/VA:H). No public exploit identified at time of analysis, but exploitation requires minimal technical complexity (AC:L) and no authentication (PR:N). Vendor-released patch available in version 0.1.17.
Technical ContextAI
Vite+ is a unified web development toolchain that manages package manager downloads and caching. The vulnerability exists in the downloadPackageManager() function, which constructs filesystem paths using an unsanitized version string parameter. This represents a classic CWE-22 (Path Traversal) weakness where user-controlled input is directly concatenated into file paths without normalization or validation. The affected component stores package managers under VP_HOME/package_manager/<pm>/ but fails to ensure the constructed path remains within this root directory. An attacker can inject path traversal sequences (../) or provide absolute paths (e.g., /etc/critical-file) to escape the intended cache boundary. The CVSS 4.0 vector (AV:L/AC:L/PR:N/UI:N) indicates this is a local attack with low complexity requiring no privileges or user interaction, affecting integrity and availability of both the vulnerable system (VI:H/VA:H) and subsequent systems (SI:H/SA:H) that may rely on the manipulated cache.
RemediationAI
Upgrade Vite+ to version 0.1.17 or later, which includes input validation to prevent path traversal in downloadPackageManager(). This is the primary and recommended fix as confirmed by the vendor security advisory at https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2. For environments unable to immediately upgrade, implement strict input validation on any version strings passed to downloadPackageManager() by rejecting inputs containing '../' sequences, absolute paths (starting with '/' or drive letters), or non-alphanumeric characters beyond standard version notation (digits, dots, hyphens). Restrict file system permissions on VP_HOME/package_manager/ and parent directories to prevent unauthorized writes outside the cache root, though this provides only partial mitigation since the application itself runs with legitimate write permissions. Consider running Vite+ processes in sandboxed environments (containers, VMs) with limited filesystem access to contain potential damage from path traversal exploitation. Review CI/CD pipeline configurations to ensure version parameters originate from trusted sources only, not from user-provided input in pull requests or external webhooks.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25163
GHSA-33r3-4whc-44c2