PT-2026-49574 · Npm · Vite+1
Publicado
2026-06-15
·
Atualizado
2026-06-15
·
CVE-2026-53571
CVSS v4.0
8.2
Alta
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
The contents of files that are specified by
server.fs.deny can be returned to the browser on Windows.Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using
--hostorserver.hostconfig option) - the sensitive file exists in the allowed directories specified by
server.fs.allow - either of:
- the sensitive file exists in an NTFS volume
- the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)
Details
Vite’s dev server denies direct access to sensitive files through
server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied.
Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.
PoC
bash
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run devAccess via browser at 
http://localhost:5173/.env::$DATA?raw
Example expected result:
/.env::$DATA?rawreturns the contents of.env/tls.pem::$DATA?rawreturns the contents oftls.pem
Correção
Path traversal
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Vite
Vite-Plus