Plattform
nodejs
Komponente
vite
Behoben in
8.0.1
7.1.1
0.1.17
8.0.5
CVE-2026-39364 describes a sensitive file disclosure vulnerability in Vite. This flaw allows attackers to retrieve files that are explicitly denied via server.fs.deny if the Vite development server is exposed to the network and the file exists within allowed directories. The vulnerability impacts Vite versions before 8.0.5, and a fix is available in version 8.0.5.
The core of the vulnerability lies in Vite's file serving capabilities when the development server is accessible from outside the local machine. Specifically, if the server.fs.deny configuration is not properly configured to block access to sensitive files, an attacker can craft requests to retrieve these files through the Vite dev server. This is particularly concerning if sensitive data, such as API keys, configuration files, or source code containing credentials, resides within the allowed directories specified by server.fs.allow. Successful exploitation could lead to unauthorized access to confidential information, potentially enabling further attacks or data breaches.
This vulnerability was publicly disclosed on April 6, 2026. There is no indication of active exploitation at this time, but the availability of a public proof-of-concept could change this. The vulnerability is not currently listed on CISA KEV. The ease of exploitation depends on the attacker's ability to identify sensitive files and expose the Vite dev server to the network.
Development teams using Vite in projects where the development server is inadvertently exposed to the network are at risk. This includes developers using shared hosting environments or those who have not properly configured their Vite server settings. Projects relying on Vite for local development and testing are also vulnerable if the server is accessible from outside the development environment.
• nodejs: Monitor process arguments for --host or --port to identify exposed Vite development servers.
ps aux | grep 'node --host' || ps aux | grep 'node --port'• nodejs: Check for unusual file access patterns within the Vite project directory, particularly targeting files denied by server.fs.deny.
find . -type f -mtime -1 -print0 | xargs -0 ls -l• generic web: Monitor access logs for requests targeting files within the Vite project directory, especially those that should be denied. • generic web: Inspect response headers for unexpected content types or file extensions when accessing files within the Vite project directory.
disclosure
Exploit-Status
EPSS
2.56% (86% Perzentil)
CISA SSVC
The primary mitigation is to upgrade to Vite version 8.0.5 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, carefully review and strengthen the server.fs.deny configuration to ensure that all sensitive files are explicitly blocked from access. Consider using a Web Application Firewall (WAF) to filter requests and block attempts to access unauthorized files. Regularly audit the Vite configuration and file system permissions to identify and address any potential misconfigurations. After upgrade, confirm by attempting to access a previously denied file through the Vite dev server; access should be blocked.
Actualice Vite a la versión 7.3.2 o superior, o a la versión 8.0.5 o superior. Esto corrige la vulnerabilidad al evitar el acceso no autorizado a archivos bloqueados por la configuración `server.fs.deny`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39364 is a HIGH severity vulnerability affecting Vite versions before 8.0.5. It allows attackers to retrieve sensitive files if the Vite development server is exposed to the network.
You are affected if you are using Vite versions prior to 8.0.5 and your development server is accessible from the network, and sensitive files exist within allowed directories.
Upgrade to Vite version 8.0.5 or later. If immediate upgrade is not possible, restrict network access to the Vite development server and review your server.fs.deny and server.fs.allow configurations.
There is currently no indication of active exploitation campaigns or publicly available proof-of-concept code.
Refer to the Vite project's official security advisory for detailed information and updates: https://vitejs.dev/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.