PT-2026-49574 · Npm · Vite+1

Published

2026-06-15

·

Updated

2026-06-15

·

CVE-2026-53571

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.

Impact

Only apps that match the following conditions are affected:
  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • the sensitive file exists in the allowed directories specified by server.fs.allow
  • either of:
  • the sensitive file exists in an NTFS volume
  • the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)

Details

Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.
Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.

PoC

bash
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
Access via browser at http://localhost:5173/.env::$DATA?raw deecc1315123883cfd0f9c26a002845a
Example expected result:
  • /.env::$DATA?raw returns the contents of .env
  • /tls.pem::$DATA?raw returns the contents of tls.pem

Fix

Path traversal

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-200

Related Identifiers

CVE-2026-53571
GHSA-FX2H-PF6J-XCFF

Affected Products

Vite
Vite-Plus