{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39365", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.349Z", "datePublished": "2026-04-07T19:13:50.927Z", "dateUpdated": "2026-04-15T14:23:24.501Z"}, "containers": {"cna": {"title": "Vite has a Path Traversal in Optimized Deps `.map` Handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 8.0.0, < 8.0.5", "status": "affected"}, {"version": ">= 7.0.0, < 7.3.2", "status": "affected"}, {"version": ">= 6.0.0, < 6.4.2", "status": "affected"}]}, {"vendor": "vitejs", "product": "vite-plus", "versions": [{"version": "< 0.1.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:13:50.927Z"}, "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server\u2019s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5."}], "source": {"advisory": "GHSA-4w7w-66w2-5vf9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T18:10:42.839064Z", "id": "CVE-2026-39365", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:23:24.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39365", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T18:10:42.839064Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T18:10:58.989Z"}}], "cna": {"title": "Vite has a Path Traversal in Optimized Deps `.map` Handling", "source": {"advisory": "GHSA-4w7w-66w2-5vf9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"status": "affected", "version": ">= 8.0.0, < 8.0.5"}, {"status": "affected", "version": ">= 7.0.0, < 7.3.2"}, {"status": "affected", "version": ">= 6.0.0, < 6.4.2"}]}, {"vendor": "vitejs", "product": "vite-plus", "versions": [{"status": "affected", "version": "< 0.1.16"}]}], "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9", "name": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server\u2019s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:13:50.927Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39365", "state": "PUBLISHED", "dateUpdated": "2026-04-15T14:23:24.501Z", "dateReserved": "2026-04-06T21:29:17.349Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:13:50.927Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FE1AE8AE-8504-4C45-A361-8EF1F8D573AD", "versionEndIncluding": "6.4.1", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8D4169B2-49CC-4174-B1AB-2D61D3441617", "versionEndIncluding": "7.3.1", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "51F8A931-4520-4696-89C4-7F94228654F5", "versionEndIncluding": "8.0.4", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vitejs:vite-plus:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5DE81A10-D69F-4578-8EF1-9817F5E9ED22", "versionEndIncluding": "0.1.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server\u2019s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5."}], "id": "CVE-2026-39365", "lastModified": "2026-04-15T19:58:54.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:30.350", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vite: Vite: Information disclosure via path traversal in dev server's .map request handling", "id": "2456190", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456190"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in Vite. The development server's handling of `.map` requests contains a path traversal vulnerability. A remote attacker can exploit this by sending a specially crafted request with directory traversal sequences (`../`) to bypass security restrictions. This allows the attacker to retrieve `.map` files located outside the project's intended directory, leading to information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-39365", "package_state": [{"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "rhacs-eng/release-main", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-gateway", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-platform-ui", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/mcp-server-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Fix deferred", "package_name": "vite", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-macos-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:1", "fix_state": "Fix deferred", "package_name": "podman-desktop-windows-1-0", "product_name": "Red Hat Build of Podman Desktop"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-ext", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/openshift-local-ext", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}, {"cpe": "cpe:/a:redhat:podman_desktop:0", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/rhel-ext", "product_name": "Red Hat Build of Podman Desktop - Tech Preview"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "vite", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "vite", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/art-images", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-07T19:13:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39365\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39365\nhttps://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vite", "source": "cna", "vendor": "vitejs"}, "product": "vite", "vendor": "vitejs"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "vite-plus", "vendor": "vitejs"}], "analysis": {"en": {"generated_at": "2026-04-17T09:52:42.984418+00:00", "value": {"mitigation_remediation": ["Upgrade Vite to version 6.4.2 or later, 7.3.2 or later, or 8.0.5 or later.", "If an upgrade is not immediately possible, restrict access to the development server to trusted IP ranges or keep it on localhost only.", "Ensure that the server.fs.strict allow list is enabled and not overridden.", "Verify that source map files are not served through other routes or exposed unintentionally.", "Apply any vendor patches or updates as they become available."], "summary": {"action": "Immediate Patch", "impact": "Path Traversal exposing source map files"}, "threat_synthesis": {"affected_systems": "Vite releases from 6.0.0 up to but excluding 6.4.2, all releases before 7.3.2, and all releases before 8.0.5 are affected. The flaw is in the core Vite framework and its extensions managed by the vitejs organization, including vite-plus. Any deployment that runs the development server with one of these versions is vulnerable.", "description_and_impact": "The vulnerability allows an attacker to retrieve source map files that reside outside the project root by manipulating the URL path sent to a Vite development server. When the server processes a .map request, it resolves the requested file path without removing relative \"../\" segments, then directly reads the file without enforcing the strict file\u2011system allow list. As a result, an adversary can obtain any source map JSON that can be parsed from directories beyond the intended project boundaries, potentially revealing source code or development information. This weakness corresponds to the directory traversal flaw described by CWE\u201122.", "risk_and_exploitability": "The CVSS score of 6.3 classifies this as moderate severity. The EPSS score of 1% indicates a low but nonzero probability that the vulnerability is exploited. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the likely attack vector would be an unauthenticated HTTP request sent to the development server, which typically serves only local developers but could be exposed to external networks. An attacker exploiting this flaw could read arbitrary source map files outside the project, exposing internal code and debugging data. While no public exploit has been reported, the potential for source disclosure makes timely remediation important."}}}}, "created": "2026-04-08T19:46:24.977660+00:00", "updated": "2026-04-17T10:00:03.569013+00:00", "vendors": ["vitejs", "vitejs$PRODUCT$vite", "vitejs$PRODUCT$vite-plus"]}