Main Vulnerability Database Vulnerabilities #VU125311

Incorrect Behavior Order: Validate Before Canonicalize in Vite - CVE-2026-39364

Published: April 8, 2026

Vulnerability identifier: #VU125311

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-39364

CWE-ID: CWE-180

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Vite

Affected software:
Vite

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to validate-before-canonicalize behavior in the Vite dev server file access control for server.fs.deny when handling requests for denied files with query parameters such as ?raw, ?import&raw, or ?import&url&inline. A remote attacker can send a specially crafted request to disclose sensitive information.

Only applications that explicitly expose the Vite dev server to the network are affected, and the targeted file must exist in directories allowed by server.fs.allow while matching a deny pattern in server.fs.deny.

How to mitigate CVE-2026-39364

Install security update from vendor's website.

Sources

https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r

Incorrect Behavior Order: Validate Before Canonicalize in Vite - CVE-2026-39364

Detailed vulnerability description

How to mitigate CVE-2026-39364

Sources

Please verify you're human