Path traversal in Vite - CVE-2026-39365
Published: April 8, 2026
Vulnerability identifier: #VU125310
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-39365
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Vite
Affected software:
Vite
Vite
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the Vite dev server optimized dependency .map handling when processing crafted .map requests. A remote attacker can send a specially crafted request with ../ segments to disclose sensitive information.
Only applications that explicitly expose the dev server to the network are affected, and only files ending in .map that can be parsed as valid source map JSON can be retrieved.
How to mitigate CVE-2026-39365
Install security update from vendor's website.