CVE-2026-39364
published 2026-04-07CVE-2026-39364: Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by…
PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.10%
79.3th percentile
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | 7.0.0 – 7.3.1 | — |
| vitejs | vite | >= 7.1.0 < 7.3.2 | 7.3.2 |
| vitejs | vite | >= 8.0.0 < 8.0.5 | 8.0.5 |
| vitejs | vite | 8.0.0 – 8.0.4 | — |
| vitejs | vite-plus | < 0.1.16 | 0.1.16 |
| voidzero | vite | <= 0.1.15 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
contains_all(body, "export default", "data:application/json;base64") AND contains_any(content_type, "text/javascript", "application/javascript") AND status_code == 200
- →Look for HTTP GET requests to sensitive files (e.g., /.env, *.crt) that include query parameters ?raw, ?import&raw, or ?import&url&inline and return HTTP 200 responses — these indicate a successful bypass of server.fs.deny restrictions. ↗
- →Detect Vite dev server exposure via the presence of /@vite/client in HTTP response bodies (FOFA/Shodan fingerprint). ↗
- →Exploit confirmation: a successful bypass returns a JavaScript content-type response containing 'export default' and 'data:application/json;base64' in the body with status 200, while a direct request to the same file returns 403. ↗
- →Directory traversal variant: detect requests containing dot-segment sequences (e.g., /.vite/../) targeting the Vite dev server when --host or server.host is enabled. ↗
- →The vulnerability is exploitable without authentication against Vite dev servers exposed on the network (--host flag). Prioritize detection on internet-facing or LAN-exposed dev servers. ↗
- ·The query-parameter bypass (CVE-2026-39364) affects Vite versions 7.1.0 up to (but not including) 7.3.2 and 8.0.5. The directory traversal variant described in DOC 2 affects versions prior to 6.4.3, 6.3.4, and 5.4.23 — these are distinct version ranges and may represent a related but separate issue. ↗
- ·The vulnerability only affects the Vite development server, not production builds. Exposure requires the dev server to be network-accessible (via --host or server.host configuration). ↗
- ·Red Hat notes no mitigation is currently available that meets their criteria; affected packages include automation-controller, automation-eda-controller, automation-gateway, automation-platform-ui, and others in Red Hat Ansible Automation Platform 2. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vite: `server.fs.deny` bypassed with queries
ghsa·2026-04-06
CVE-2026-39364 [HIGH] CWE-180 Vite: `server.fs.deny` bypassed with queries
Vite: `server.fs.deny` bypassed with queries
### Summary
The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow)
- the sensitive file is denied with a pattern that matches a file by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)
### Details
On the Vite dev server, files that should be blocke
OSV
Vite: `server.fs.deny` bypassed with queries
osv·2026-04-06
CVE-2026-39364 [HIGH] Vite: `server.fs.deny` bypassed with queries
Vite: `server.fs.deny` bypassed with queries
### Summary
The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow)
- the sensitive file is denied with a pattern that matches a file by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)
### Details
On the Vite dev server, files that should be blocke
Red Hat
vite: Vite: Information disclosure via query parameter manipulation on the development server
vendor_redhat·2026-04-07·CVSS 8.2
CVE-2026-39364 [HIGH] CWE-472 vite: Vite: Information disclosure via query parameter manipulation on the development server
vite: Vite: Information disclosure via query parameter manipulation on the development server
A flaw was found in Vite, a frontend tooling framework for JavaScript. On the Vite development server, a remote attacker could exploit this vulnerability by appending specific query parameters, such as ?raw, to requests. This allows the attacker to bypass security restrictions and retrieve sensitive files, including environment variables (.env) and certificate files (*.crt), which should otherwise be blocked. This information disclosure could lead to further compromise of the system.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread i
No detection rules found.
Nuclei
Vite Dev Server - Directory Traversal
nuclei·CVSS 8.2
CVE-2026-39364 [HIGH] Vite Dev Server - Directory Traversal
Vite Dev Server - Directory Traversal
Vite is a modern frontend build tool. In Vite prior to versions 6.4.3, 6.3.4, and 5.4.23, a directory traversal vulnerability affects the Vite development server. When the Vite dev server is launched with the --host or server.host option, an unauthenticated attacker can craft a request with a path containing dot segments (e.g., /.vite/../) to bypass static file restrictions and access arbitrary files on the filesystem under the project root. The vulnerability allows access to files normally denied by Vite’s "server.fs.deny" setting, including sensitive files like .env, configuration files, or credentials in the project root. This issue has been fixed in versions 6.4.3, 6.3.4, and 5.4.23.
Template:
id: CVE-2026-39364
info:
name: Vite Dev Server - Di
Bugzilla
CVE-2026-39364 vite: Vite: Information disclosure via query parameter manipulation on the development server
bugzilla·2026-04-07·CVSS 8.2
CVE-2026-39364 [HIGH] CVE-2026-39364 vite: Vite: Information disclosure via query parameter manipulation on the development server
CVE-2026-39364 vite: Vite: Information disclosure via query parameter manipulation on the development server
Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.
Bugzilla
CVE-2026-39364 nodejs-aw-webui: Vite: Information disclosure via query parameter manipulation on the development server [fedora-all]
bugzilla·2026-04-07·CVSS 8.2
CVE-2026-39364 [HIGH] CVE-2026-39364 nodejs-aw-webui: Vite: Information disclosure via query parameter manipulation on the development server [fedora-all]
CVE-2026-39364 nodejs-aw-webui: Vite: Information disclosure via query parameter manipulation on the development server [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39364 forgejo: Vite: Information disclosure via query parameter manipulation on the development server [epel-all]
bugzilla·2026-04-07·CVSS 8.2
CVE-2026-39364 [HIGH] CVE-2026-39364 forgejo: Vite: Information disclosure via query parameter manipulation on the development server [epel-all]
CVE-2026-39364 forgejo: Vite: Information disclosure via query parameter manipulation on the development server [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39364 forgejo: Vite: Information disclosure via query parameter manipulation on the development server [fedora-all]
bugzilla·2026-04-07·CVSS 8.2
CVE-2026-39364 [HIGH] CVE-2026-39364 forgejo: Vite: Information disclosure via query parameter manipulation on the development server [fedora-all]
CVE-2026-39364 forgejo: Vite: Information disclosure via query parameter manipulation on the development server [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Wiz
CVE-2026-39364 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-39364 [MEDIUM] CVE-2026-39364 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39364 :
JavaScript vulnerability analysis and mitigation
## Summary
server.fs.deny
## Impact
Only apps that match the following conditions are affected:
--host
server.host
server.fs.allow
server.fs.deny
## Details
server.fs.deny
.env
*.crt
?raw
?import&raw
?import&url&inline
## PoC
pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
server.fs.deny
curl -i http://127.0.0.1:5175/src/.env | head -n 20
Confirm that the same files can be retrieved with query parameters (expect 200):
Source : NVD
## 8.2
Score
Published April 6, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
2026-04-07
Published