CVE-2026-39365

MEDIUM SEVERITY

Vulnerability Description

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Vulnerability Details

Published Date

April 06, 2026

Last Modified

April 08, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

npm

Product

vite

External References

https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9
https://github.com/vitejs/vite/pull/22161
https://github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694
https://github.com/vitejs/vite/releases/tag/v6.4.2
https://github.com/vitejs/vite/releases/tag/v7.3.2
https://github.com/vitejs/vite/releases/tag/v8.0.5
https://github.com/advisories/GHSA-4w7w-66w2-5vf9

CVE-2026-39365

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment