Skip to main content

Vite+ CVE-2026-41211

| EUVDEUVD-2026-25163 HIGH
Path Traversal (CWE-22)
2026-04-23 GitHub_M GHSA-33r3-4whc-44c2
8.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 29, 2026 - 15:49 nvd
Patch available
Re-analysis Queued
Apr 23, 2026 - 13:22 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:48 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
CVSS changed
Apr 23, 2026 - 02:35 NVD
8.4 (HIGH)
EUVD ID Assigned
Apr 23, 2026 - 01:15 euvd
EUVD-2026-25163
Analysis Generated
Apr 23, 2026 - 01:15 vuln.today
CVE Published
Apr 23, 2026 - 00:56 nvd
HIGH 8.4

DescriptionGitHub Advisory

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager() accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VP_HOME/package_manager/<pm>/ cache root and make Vite+ delete, replace, and populate directories outside the intended cache location. Version 0.1.17 contains a patch.

AnalysisAI

Path traversal in Vite+ downloadPackageManager() allows local attackers to write or delete arbitrary files outside the intended cache directory. The vulnerability affects Vite+ versions before 0.1.17 and stems from inadequate input validation on the version parameter, enabling directory traversal via '../' sequences or absolute paths. Attackers with local access can manipulate filesystem operations to compromise system integrity and availability (CVSS 8.4, VI:H/VA:H). No public exploit identified at time of analysis, but exploitation requires minimal technical complexity (AC:L) and no authentication (PR:N). Vendor-released patch available in version 0.1.17.

Technical ContextAI

Vite+ is a unified web development toolchain that manages package manager downloads and caching. The vulnerability exists in the downloadPackageManager() function, which constructs filesystem paths using an unsanitized version string parameter. This represents a classic CWE-22 (Path Traversal) weakness where user-controlled input is directly concatenated into file paths without normalization or validation. The affected component stores package managers under VP_HOME/package_manager/<pm>/ but fails to ensure the constructed path remains within this root directory. An attacker can inject path traversal sequences (../) or provide absolute paths (e.g., /etc/critical-file) to escape the intended cache boundary. The CVSS 4.0 vector (AV:L/AC:L/PR:N/UI:N) indicates this is a local attack with low complexity requiring no privileges or user interaction, affecting integrity and availability of both the vulnerable system (VI:H/VA:H) and subsequent systems (SI:H/SA:H) that may rely on the manipulated cache.

RemediationAI

Upgrade Vite+ to version 0.1.17 or later, which includes input validation to prevent path traversal in downloadPackageManager(). This is the primary and recommended fix as confirmed by the vendor security advisory at https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2. For environments unable to immediately upgrade, implement strict input validation on any version strings passed to downloadPackageManager() by rejecting inputs containing '../' sequences, absolute paths (starting with '/' or drive letters), or non-alphanumeric characters beyond standard version notation (digits, dots, hyphens). Restrict file system permissions on VP_HOME/package_manager/ and parent directories to prevent unauthorized writes outside the cache root, though this provides only partial mitigation since the application itself runs with legitimate write permissions. Consider running Vite+ processes in sandboxed environments (containers, VMs) with limited filesystem access to contain potential damage from path traversal exploitation. Review CI/CD pipeline configurations to ensure version parameters originate from trusted sources only, not from user-provided input in pull requests or external webhooks.

Share

CVE-2026-41211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy