SB2026040862 - Multiple vulnerabilities in Vite
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-39365)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the Vite dev server optimized dependency .map handling when processing crafted .map requests. A remote attacker can send a specially crafted request with ../ segments to disclose sensitive information.
Only applications that explicitly expose the dev server to the network are affected, and only files ending in .map that can be parsed as valid source map JSON can be retrieved.
2) Incorrect Behavior Order: Validate Before Canonicalize (CVE-ID: CVE-2026-39364)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to validate-before-canonicalize behavior in the Vite dev server file access control for server.fs.deny when handling requests for denied files with query parameters such as ?raw, ?import&raw, or ?import&url&inline. A remote attacker can send a specially crafted request to disclose sensitive information.
Only applications that explicitly expose the Vite dev server to the network are affected, and the targeted file must exist in directories allowed by server.fs.allow while matching a deny pattern in server.fs.deny.
3) Missing Authentication for Critical Function (CVE-ID: CVE-2026-39363)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the Vite dev server WebSocket fetchModule method when handling WebSocket requests that invoke fetchModule with file URLs. A remote attacker can send a specially crafted WebSocket event to disclose sensitive information.
Only applications that explicitly expose the dev server to the network and have WebSocket support enabled are affected. Exploitation requires the ability to connect to the WebSocket without an Origin header.
Remediation
Install update from vendor's website.
References
- https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9
- https://github.com/advisories/GHSA-4w7w-66w2-5vf9
- https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r
- https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583
- https://github.com/advisories/GHSA-p9ff-h696-f583