CVE-2026-39365

MEDIUM NUCLEI

Vite has a Path Traversal in Optimized Deps `.map` Handling

Title source: cna

Description

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Nuclei Templates (1)

Vite Dev Server - Path Traversal in Optimized Deps .map Handling

MEDIUMVERIFIEDby theamanrawat

Shodan: http.html:"/@vite/client" port:"5173"

FOFA: body="/@vite/client" && port="5173"

References (1)

[X_Refsource_Confirm] https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9

Scores

CVSS v3 5.3

EPSS 0.0115

EPSS Percentile 78.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-22

Status published

Products (7)

npm/vite 8.0.0 - 8.0.5npm

vitejs/vite 6.0.0 - 6.4.1

vitejs/vite >= 6.0.0, < 6.4.2

vitejs/vite >= 7.0.0, < 7.3.2

vitejs/vite >= 8.0.0, < 8.0.5

vitejs/vite-plus < 0.1.15

vitejs/vite-plus < 0.1.16

Published Apr 07, 2026

Tracked Since Apr 08, 2026