cbcvebase.
CVE-2026-39365
published 2026-04-07

CVE-2026-39365: Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized…

PriorityP179medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.91%
55.6th percentile
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Affected

11 ranges
VendorProductVersion rangeFixed in
vitejsvite
vitejsvite
vitejsvite
vitejsvite>= 0 < 6.4.26.4.2
vitejsvite6.0.0 – 6.4.1
vitejsvite>= 7.0.0 < 7.3.27.3.2
vitejsvite7.0.0 – 7.3.1
vitejsvite>= 8.0.0 < 8.0.58.0.5
vitejsvite8.0.0 – 8.0.4
vitejsvite-plus< 0.1.160.1.16
voidzerovite<= 0.1.15

Detection & IOCsextracted from sources · hover to see the quote

url/node_modules/.vite/deps/../../../config.production.js.map
path/node_modules/.vite/deps/
othershodan: http.html:"/@vite/client" port:"5173"
otherfofa: body="/@vite/client" && port="5173"
  • Path traversal requests targeting the Vite optimized deps sourcemap handler will contain `../` sequences within a URL path starting with `/node_modules/.vite/deps/` and ending in `.map`.
  • A successful exploit response will be `application/json` with HTTP 200, and the body will contain both `"version":3` and `"mappings"` fields, plus a `"file"` field starting with `/` (absolute filesystem path), indicating a source map from outside the project root was returned.
  • Only Vite dev servers explicitly exposed to the network are reachable; look for `--host` flag or `server.host` configuration in process arguments or config files as a prerequisite for exposure.
  • Fingerprint a Vite dev server by checking for the string `/@vite/client` in the HTTP response body on port 5173 before attempting the path traversal.
  • The leaked `"file"` field in the returned source map JSON will expose an absolute filesystem path, which can be extracted with the regex `"file":"([^"]+)"`.
  • ·The path traversal only allows retrieval of `.map` files that can be parsed as valid source map JSON; arbitrary file reads are not possible through this vector.
  • ·The vulnerability is limited to the Vite development server; production builds and non-dev server deployments are not affected.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.3MEDIUM
vendor_redhat6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.