CVE-2026-39364

Name of the Vulnerable Software and Affected Versions Vite versions 7.1.0 through 7.3.1 and 8.0.0 through 8.0.4

Description Vite, a frontend tooling framework for JavaScript, allows retrieval of files blocked by server.fs.deny (such as .env and *.crt files) with HTTP 200 responses when specific query parameters like ?raw, ?import&raw, or ?import&url&inline are appended to the request. This occurs when the Vite dev server is exposed to the network and sensitive files are both allowed by server.fs.allow and denied by server.fs.deny.

Recommendations Vite versions 7.1.0 through 7.3.1 should be updated to version 7.3.2 or later. Vite versions 8.0.0 through 8.0.4 should be updated to version 8.0.5 or later.