MEDIUMCVE-2026-39365

CVE-2026-39365: Vite Path Traversal Vulnerability (v7.3.1)

Q: What is CVE-2026-39365 — Path Traversal in Vite?

`.map` files are 'source map' files that map compiled (minified or obfuscated) JavaScript code to the original source code. They are used to facilitate debugging.

Q: Am I affected by CVE-2026-39365 in Vite?

It's a Vite configuration option that controls whether the development server allows access to files outside the project's root directory. When enabled, it restricts access to external files.

Q: How do I fix CVE-2026-39365 in Vite?

You can check your Vite version by running the command `vite --version` in your terminal.

Q: Is CVE-2026-39365 being actively exploited?

If you can't update immediately, consider restricting access to the development server to a trusted internal network.

Q: Where can I find the official Vite advisory for CVE-2026-39365?

This vulnerability primarily affects the development server. However, it's important to update to the latest version to avoid potential security issues.

Platform

nodejs

Component

vite

Fixed in

8.0.1

7.0.1

6.0.1

0.1.17

AI Confidence: highNVDEPSS 4.1%Reviewed: Apr 2026

View on NVD

Save

CVE-2026-39365 describes a Path Traversal vulnerability discovered in Vite. This flaw allows an attacker to potentially retrieve arbitrary files from the server if the Vite development server is exposed to the network and sensitive data exists within .map files with predictable paths. The vulnerability affects versions prior to 8.0.5, and a patch has been released to address the issue.

Impact and Attack Scenarios

CVE-2026-39365 in Vite affects versions 6.0.0 up to, but not including, 6.4.2, 7.3.2, and 8.0.5. It allows an attacker to bypass the server.fs.strict allow list of Vite's development server. This is achieved by manipulating .map (source map) file requests to access files outside the project's root directory. In the affected versions, the Vite development server does not properly validate file paths in .map requests, allowing the use of ../ sequences to navigate outside the expected directory. If the attacker can provide a valid path pointing to an external .map file that is valid JSON, they can access it. The primary impact is the potential exposure of sensitive information contained within the source map files, although the usefulness of this information depends on the nature of the source code and the security configurations of the environment.

Exploitation Context

Exploitation of this vulnerability requires access to the Vite development server, either through a direct HTTP request or by manipulating the browser's developer tools. An attacker could craft a malicious request that requests a .map file with a path that includes ../ sequences to navigate outside the project's root directory. The difficulty of exploitation depends on the file system structure and the availability of accessible external .map files. The success of exploitation also depends on the attacker's ability to interpret the content of the obtained .map file, which could contain sensitive information about the source code.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Reports1 threat report

EPSS

4.05% (89% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impacttotal

Affected Software

Componentvite

Vendorvitejs

Affected rangeFixed in

>= 8.0.0, < 8.0.5 – >= 8.0.0, < 8.0.58.0.1

>= 7.0.0, < 7.3.2 – >= 7.0.0, < 7.3.27.0.1

>= 6.0.0, < 6.4.2 – >= 6.0.0, < 6.4.26.0.1

< 0.1.16 – < 0.1.160.1.17

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2026-04-06
Published2026-04-07
Modified2026-04-15
EPSS updated2026-04-15

Patched 0 days after disclosure

Mitigation and Workarounds

To mitigate this vulnerability, it is recommended to update Vite to version 6.4.2, 7.3.2, or 8.0.5. These versions include a fix that properly validates file paths in .map requests, preventing unauthorized access to external files. Additionally, review the server.fs.strict configuration to ensure that only the necessary directories are allowed. If an immediate update is not possible, consider restricting access to the development server to a trusted internal network, although this does not eliminate the underlying vulnerability. Applying the update as soon as possible is crucial to protect against potential attacks.

How to fix

Actualice Vite a la versión 6.4.2, 7.3.2 o 8.0.5 para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización corrige la forma en que el servidor de desarrollo maneja las solicitudes de .map, restringiendo el acceso a archivos fuera del directorio raíz del proyecto.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-39365 — Path Traversal in Vite?

.map files are 'source map' files that map compiled (minified or obfuscated) JavaScript code to the original source code. They are used to facilitate debugging.

Am I affected by CVE-2026-39365 in Vite?

It's a Vite configuration option that controls whether the development server allows access to files outside the project's root directory. When enabled, it restricts access to external files.

How do I fix CVE-2026-39365 in Vite?

You can check your Vite version by running the command vite --version in your terminal.

Is CVE-2026-39365 being actively exploited?

If you can't update immediately, consider restricting access to the development server to a trusted internal network.

Where can I find the official Vite advisory for CVE-2026-39365?

This vulnerability primarily affects the development server. However, it's important to update to the latest version to avoid potential security issues.

NextGuard

Vulnerabilities

Package Information

Last updated: 8.0.14recently

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs