CVE-2026-39365

Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5

Description The Vite dev server improperly handles .map requests for optimized dependencies. It resolves file paths and calls readFile without restricting '../' segments in the URL, potentially allowing bypass of the server.fs.strict allow list and retrieval of .map files located outside the project root if they are valid source map JSON. This could expose sensitive content if the server is exposed to the network and predictable paths to .map files exist.

Recommendations Update to Vite version 6.4.2 or later, 7.3.2, or 8.0.5.