EUVD-2026-19873
GHSA-v2wj-q39q-566r
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 31 npm packages depend on vite (27 direct, 4 indirect)
Ecosystem-wide dependent count for version 8.0.0.
DescriptionGitHub Advisory
Summary
The contents of files that are specified by server.fs.deny can be returned to the browser.
Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using
--hostorserver.hostconfig option) - the sensitive file exists in the allowed directories specified by
server.fs.allow - the sensitive file is denied with a pattern that matches a file by
server.fs.deny
Details
On the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended.
PoC
- Start the dev server:
pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort - Confirm that
server.fs.denyis enforced (expect 403):curl -i http://127.0.0.1:5175/src/.env | head -n 20
<img width="3944" height="1092" alt="image" src="https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f" />
- Confirm that the same files can be retrieved with query parameters (expect 200):
<img width="2014" height="373" alt="image" src="https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8" />
AnalysisAI
Vite development server allows unauthorized file disclosure by bypassing server.fs.deny restrictions when specific query parameters (?raw, ?import&raw, ?import&url&inline) are appended to file requests. The npm package 'vite' is affected when the dev server is explicitly exposed to the network and sensitive files exist within allowed directories but are supposedly blocked by deny patterns. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Vite dev server explicitly exposed to network via --host flag or server.host config option. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate and highly conditional on deployment configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer runs a Vite dev server with --host 0.0.0.0 to enable testing from mobile devices on the local network, with a .env file in the project containing database credentials and API keys. The developer has configured server.fs.deny to block .env access. … |
| Remediation | Upgrade to Vite version 7.3.2 or later for the 7.x series, or version 8.0.5 or later for the 8.x series. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Vite installations via npm list vite across development and staging environments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today