EUVD-2026-19875
GHSA-4w7w-66w2-5vf9
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 31 npm packages depend on vite (27 direct, 4 indirect)
Ecosystem-wide dependent count for version 8.0.0.
DescriptionGitHub Advisory
Summary
Any files ending with .map even out side the project can be returned to the browser.
Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using
--hostorserver.hostconfig option) - have a sensitive content in files ending with
.mapand the path is predictable
Details
In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.
PoC
- Create a minimal PoC sourcemap outside the project root
cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF- Start the Vite dev server (example)
pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080- Confirm that direct
/@fsaccess is blocked bystrict(returns 403)
<img width="4004" height="1038" alt="image" src="https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab" />
- Inject
../segments under the optimized deps.mapURL prefix to reach/tmp/poc.map
<img width="2790" height="846" alt="image" src="https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2" />
AnalysisAI
Path traversal in Vite dev server versions 6.x through 7.3.1 allows unauthenticated remote attackers to bypass filesystem restrictions and retrieve sensitive .map files outside the project root by injecting path traversal sequences into optimized dependency URLs. The vulnerability requires explicit network exposure of the dev server and predictable file paths, but publicly available proof-of-concept code demonstrates the attack. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | While CVSS and EPSS data are unavailable, the practical risk is moderate-to-high when conditions align. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker probes a Vite dev server exposed on a network (e.g., via `--host 0.0.0.0` or a CI/CD pipeline accessible over the network). Using the publicly disclosed PoC technique, the attacker injects path traversal sequences (e.g., `/@vite/deps/../../../tmp/poc.map`) into HTTP requests to the dev server's `.map` endpoint, bypassing `server.fs.strict` restrictions. … |
| Remediation | Upgrade Vite to a patched version: v6.4.2 or later for the 6.x branch, v7.3.2 or later for the 7.x branch, or v8.0.5 or later for the 8.x branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today