CVE-2026-39365
published 2026-04-07CVE-2026-39365: Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized…
PriorityP179medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.91%
55.6th percentile
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 6.4.2 | 6.4.2 |
| vitejs | vite | 6.0.0 – 6.4.1 | — |
| vitejs | vite | >= 7.0.0 < 7.3.2 | 7.3.2 |
| vitejs | vite | 7.0.0 – 7.3.1 | — |
| vitejs | vite | >= 8.0.0 < 8.0.5 | 8.0.5 |
| vitejs | vite | 8.0.0 – 8.0.4 | — |
| vitejs | vite-plus | < 0.1.16 | 0.1.16 |
| voidzero | vite | <= 0.1.15 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/node_modules/.vite/deps/../../../config.production.js.map
path/node_modules/.vite/deps/
othershodan: http.html:"/@vite/client" port:"5173"
otherfofa: body="/@vite/client" && port="5173"
- →Path traversal requests targeting the Vite optimized deps sourcemap handler will contain `../` sequences within a URL path starting with `/node_modules/.vite/deps/` and ending in `.map`.
- →A successful exploit response will be `application/json` with HTTP 200, and the body will contain both `"version":3` and `"mappings"` fields, plus a `"file"` field starting with `/` (absolute filesystem path), indicating a source map from outside the project root was returned.
- →Only Vite dev servers explicitly exposed to the network are reachable; look for `--host` flag or `server.host` configuration in process arguments or config files as a prerequisite for exposure.
- →Fingerprint a Vite dev server by checking for the string `/@vite/client` in the HTTP response body on port 5173 before attempting the path traversal.
- →The leaked `"file"` field in the returned source map JSON will expose an absolute filesystem path, which can be extracted with the regex `"file":"([^"]+)"`.
- ·The path traversal only allows retrieval of `.map` files that can be parsed as valid source map JSON; arbitrary file reads are not possible through this vector. ↗
- ·The vulnerability is limited to the Vite development server; production builds and non-dev server deployments are not affected.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.3MEDIUM
vendor_redhat6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
ghsa·2026-04-06
CVE-2026-39365 [MEDIUM] CWE-200 Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
### Summary
Any files ending with `.map` even out side the project can be returned to the browser.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- have a sensitive content in files ending with `.map` and the path is predictable
### Details
In Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict)
OSV
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
osv·2026-04-06
CVE-2026-39365 [MEDIUM] Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
### Summary
Any files ending with `.map` even out side the project can be returned to the browser.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- have a sensitive content in files ending with `.map` and the path is predictable
### Details
In Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict)
VulnCheck
vitejs vite Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2026·CVSS 6.3
CVE-2026-39365 [MEDIUM] vitejs vite Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vitejs vite Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Affected: vitejs vite
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api
Red Hat
vite: Vite: Information disclosure via path traversal in dev server's .map request handling
vendor_redhat·2026-04-07·CVSS 6.3
CVE-2026-39365 [MEDIUM] CWE-22 vite: Vite: Information disclosure via path traversal in dev server's .map request handling
vite: Vite: Information disclosure via path traversal in dev server's .map request handling
A flaw was found in Vite. The development server's handling of `.map` requests contains a path traversal vulnerability. A remote attacker can exploit this by sending a specially crafted request with directory traversal sequences (`../`) to bypass security restrictions. This allows the attacker to retrieve `.map` files located outside the project's intended directory, leading to information disclosure.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: rhacs-eng/release-main (Red Hat Advanced Clus
No detection rules found.
Nuclei
Vite Dev Server - Path Traversal in Optimized Deps .map Handling
nuclei·CVSS 6.3
CVE-2026-39365 [MEDIUM] Vite Dev Server - Path Traversal in Optimized Deps .map Handling
Vite Dev Server - Path Traversal in Optimized Deps .map Handling
Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePath(path.resolve(root, url.slice(1))) and calls readFile without restricting ../ segments in the URL. This allows an attacker to bypass server.fs.strict and retrieve auto-generated sourcemaps for files located outside the project root, leaking absolute filesystem paths. Only dev servers explicitly exposed to the network using --host or server.host are affected.
Template:
id: CVE-2026-39365
info:
name: Vite Dev Server - Path Traversal in Optimized Deps .map Handling
auth
Bugzilla
CVE-2026-39365 forgejo: Vite: Information disclosure via path traversal in dev server's .map request handling [epel-all]
bugzilla·2026-04-07·CVSS 6.3
CVE-2026-39365 [MEDIUM] CVE-2026-39365 forgejo: Vite: Information disclosure via path traversal in dev server's .map request handling [epel-all]
CVE-2026-39365 forgejo: Vite: Information disclosure via path traversal in dev server's .map request handling [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39365 vite: Vite: Information disclosure via path traversal in dev server's .map request handling
bugzilla·2026-04-07·CVSS 6.3
CVE-2026-39365 [MEDIUM] CVE-2026-39365 vite: Vite: Information disclosure via path traversal in dev server's .map request handling
CVE-2026-39365 vite: Vite: Information disclosure via path traversal in dev server's .map request handling
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Bugzilla
CVE-2026-39365 forgejo: Vite: Information disclosure via path traversal in dev server's .map request handling [fedora-all]
bugzilla·2026-04-07·CVSS 6.3
CVE-2026-39365 [MEDIUM] CVE-2026-39365 forgejo: Vite: Information disclosure via path traversal in dev server's .map request handling [fedora-all]
CVE-2026-39365 forgejo: Vite: Information disclosure via path traversal in dev server's .map request handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39365 nodejs-aw-webui: Vite: Information disclosure via path traversal in dev server's .map request handling [fedora-all]
bugzilla·2026-04-07·CVSS 6.3
CVE-2026-39365 [MEDIUM] CVE-2026-39365 nodejs-aw-webui: Vite: Information disclosure via path traversal in dev server's .map request handling [fedora-all]
CVE-2026-39365 nodejs-aw-webui: Vite: Information disclosure via path traversal in dev server's .map request handling [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Wiz
CVE-2026-39365 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-39365 [MEDIUM] CVE-2026-39365 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39365 :
JavaScript vulnerability analysis and mitigation
## Summary
.map
## Impact
Only apps that match the following conditions are affected:
--host
server.host
.map
## Details
.map
readFile
../
server.fs.strict
.map
## PoC
cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF
pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
/@fs
strict
../
.map
/tmp/poc.map
Source : NVD
## 6.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
v
2026-04-07
Published
Exploited in the wild