Platform
nodejs
Component
vite
Fixed in
8.0.1
7.1.1
0.1.17
8.0.5
CVE-2026-39364 describes a sensitive file disclosure vulnerability in Vite. This flaw allows attackers to retrieve files that are explicitly denied via server.fs.deny if the Vite development server is exposed to the network and the file exists within allowed directories. The vulnerability impacts Vite versions before 8.0.5, and a fix is available in version 8.0.5.
An attacker can exploit this vulnerability by leveraging a misconfigured Vite development server. Specifically, the server must be accessible from the network (using --host or server.host configuration) and the sensitive file must reside within the directories permitted by server.fs.allow. Successful exploitation allows the attacker to retrieve the contents of these files, potentially exposing sensitive data such as API keys, configuration files, or source code. The impact is heightened if the exposed server is used in a production-like environment or if the sensitive files contain credentials or other confidential information.
This vulnerability was publicly disclosed on April 6, 2026. There is currently no indication of active exploitation campaigns. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.5 indicates a high potential for exploitation if the conditions are met.
Exploit Status
EPSS
2.56% (86% percentile)
CISA SSVC
The primary mitigation is to upgrade to Vite version 8.0.5 or later. If upgrading is not immediately feasible, restrict network access to the Vite development server. Avoid using --host or server.host unless absolutely necessary and carefully review the server.fs.deny and server.fs.allow configurations to ensure that sensitive files are properly protected. Consider implementing a Web Application Firewall (WAF) to filter requests and block access to unauthorized files. Regularly review and update Vite configurations to minimize the attack surface.
Update Vite to version 7.3.2 or higher, or to version 8.0.5 or higher. This corrects the vulnerability by preventing unauthorized access to files blocked by the `server.fs.deny` configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39364 is a HIGH severity vulnerability affecting Vite versions before 8.0.5. It allows attackers to retrieve sensitive files if the Vite development server is exposed to the network.
You are affected if you are using Vite versions prior to 8.0.5 and your development server is accessible from the network, and sensitive files exist within allowed directories.
Upgrade to Vite version 8.0.5 or later. If immediate upgrade is not possible, restrict network access to the Vite development server and review your server.fs.deny and server.fs.allow configurations.
There is currently no indication of active exploitation campaigns or publicly available proof-of-concept code.
Refer to the Vite project's official security advisory for detailed information and updates: https://vitejs.dev/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.