CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-V2WJ-Q39Q-566R

GHSA-V2WJ-Q39Q-566R: Vite `server.fs.deny` Bypass via Query Parameters

Alon Barad
Alon Barad
Software Engineer

Apr 6, 2026·6 min read·33 visits

Executive Summary (TL;DR)

An improper access control flaw in Vite's development server allows attackers to bypass `server.fs.deny` restrictions by appending query parameters (e.g., `?raw`) to requested paths, leading to sensitive information disclosure.

Vite development server contains a high-severity vulnerability where the `server.fs.deny` access control mechanism can be bypassed by appending specific query parameters to file requests. This allows unauthorized retrieval of restricted files, including sensitive environment variables and source code.

Vulnerability Overview

The Vite development server provides an integrated web server for serving application assets and source files during the development process. To protect sensitive project files, Vite implements the server.fs.deny configuration directive. This directive acts as a blocklist, utilizing an array of file path patterns to restrict network access to files such as .env, .git/, and node_modules/ directories.

The vulnerability exists in the path normalization and validation logic of the development server. When the server receives an incoming HTTP request, it evaluates the requested file path against the configured deny list patterns. However, the evaluation occurs before transformation query parameters are fully decoupled from the requested file path identifier.

By appending specific Vite-recognized query parameters to a request for a restricted file, an attacker manipulates the path string evaluated by the access control logic. This manipulation causes exact-match and suffix-based file path patterns to fail, permitting the request to bypass the intended security restrictions. The resulting impact is the unauthorized disclosure of sensitive files present on the host filesystem where the Vite process is executing.

Root Cause Analysis

The root cause of GHSA-V2WJ-Q39Q-566R lies in the isServerAccessDeniedForTransform function and the associated transformMiddleware within the Vite development server. These components validate incoming requests to ensure they do not attempt to read files blocked by the server.fs.deny configuration. The validation logic performs checks using the literal request id string.

In Vite's architecture, the id string often contains both the filesystem path and query parameters used to instruct the transformation pipeline (e.g., ?raw to import a file as a raw string). Because the server.fs.deny patterns are typically defined to match specific file extensions or directory paths, they are highly sensitive to the exact string representation of the requested path.

When a request targets /src/.env?raw, the access control mechanism evaluates the entire string /src/.env?raw against patterns such as **/.env*. While simple glob patterns might match this string, complex query combinations or platform-specific URL handling anomalies prevent the pattern matching logic from accurately identifying the underlying restricted file. The failure to normalize the id string prior to access validation creates an open-allow condition for restricted resources.

Code Analysis

The vulnerable implementation evaluates the un-normalized request identifier directly against the server.fs.deny blocklist. The failure to strip transformation query parameters allows the path matching logic to return false negatives. The subsequent transformation pipeline then correctly processes the query parameters and reads the underlying file, oblivious to the fact that the file is restricted.

The patch introduced in commit a9a3df299378d9cbc5f069e3536a369f8188c8ff resolves this issue by implementing a dual-check validation mechanism. The Vite team modified packages/vite/src/node/server/middlewares/transform.ts to evaluate both the raw request identifier and a cleaned, normalized version of the URL.

// Patched implementation in packages/vite/src/node/server/middlewares/transform.ts
export function isServerAccessDeniedForTransform(
  config: ResolvedConfig,
  id: string,
): boolean {
  if (rawRE.test(id) || urlRE.test(id) || inlineRE.test(id) || svgRE.test(id)) {
    return (
      checkLoadingAccess(config, cleanUrl(id)) !== 'allowed' || // Check normalized path
      checkLoadingAccess(config, id) !== 'allowed'            // Check raw ID
    )
  }
  return false
}

The implementation now invokes cleanUrl(id), which removes query parameters and hash fragments from the path string. By evaluating both cleanUrl(id) and the raw id against the access control policies, the server ensures that any restricted file remains blocked, regardless of appended transformation parameters.

Exploitation Methodology

Exploitation requires network access to the target Vite development server. Developers often bind the Vite development server to all network interfaces (e.g., --host 0.0.0.0) to facilitate testing from mobile devices or external network segments. This configuration significantly increases the attack surface, allowing remote unauthenticated attackers to reach the vulnerable service.

An attacker constructs an HTTP GET request targeting a known sensitive file, such as an environment configuration file, appending a query string recognized by the Vite transformation pipeline. A common target is the .env file, which Vite actively denies by default. The attacker sends a request such as GET http://target-host:5173/src/.env?raw.

The development server receives the request and evaluates /src/.env?raw. The path matching engine fails to match this string against its deny patterns. The request is subsequently passed to the transformation logic, which processes the ?raw parameter. The server reads the .env file from disk and returns its contents directly in the HTTP response body as a raw string.

Attackers can utilize varying parameters to achieve this bypass, including ?import&raw and ?url&inline. The success of the exploit depends solely on identifying the location of the restricted file relative to the Vite server root and selecting a query parameter that the transformation engine natively parses while simultaneously evading the glob matching engine.

Impact Assessment

The direct impact of this vulnerability is the unauthorized disclosure of sensitive information residing on the development host. The scope of exposed data is constrained to the files accessible by the Vite server process. The primary risk involves the extraction of credentials, API keys, and database passwords typically stored in .env or configuration files at the project root.

Exposed secrets can facilitate immediate lateral movement or privilege escalation. If development API keys for third-party services (e.g., AWS, Stripe, Twilio) are exposed, an attacker can pivot to attack the supporting infrastructure. In shared development environments or containerized workspaces, the vulnerability allows users to read proprietary source code and intellectual property.

This vulnerability does not affect production environments serving static files generated via the vite build command. The issue is strictly confined to the vite development server process. However, the severe consequences of exposed credentials warrant immediate remediation and adherence to secure development environment configurations.

Remediation and Mitigation

The vulnerability is completely resolved in Vite versions 7.3.2 and 8.0.5. Organizations utilizing vulnerable versions of Vite must upgrade their dependencies immediately. Project maintainers can apply the fix by running package manager update commands, such as npm update vite or yarn upgrade vite, and ensuring the resulting version meets the patched baseline.

If immediate upgrading is not feasible, developers must restrict network access to the Vite development server. By default, Vite binds to localhost, which limits exposure to local users. Developers must avoid using the --host flag or configuring server.host to 0.0.0.0 unless operating within an isolated, trusted network environment. Network-level controls, such as local firewalls or VPNs, should be employed to protect the development instance.

Organizations should also implement defense-in-depth measures regarding secret management. Development secrets should be distinct from production secrets, limiting the blast radius of a credential disclosure event. Utilizing secret management vaults instead of plain text .env files further mitigates the risk of exposure during development operations.

Official Patches

ViteFix commit for the vulnerability
ViteFix pull request
ViteVite v7.3.2 release notes
ViteVite v8.0.5 release notes

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Systems

Vite Development Server

Affected Versions Detail

Product
Affected Versions
Fixed Version
Vite
Vite
< 7.3.27.3.2
Vite
Vite
>= 8.0.0, < 8.0.58.0.5
AttributeDetail
Vulnerability TypeImproper Access Control
Attack VectorNetwork
Authentication RequiredNone
ImpactInformation Disclosure
CVSSv3 Score7.5 (High)
CWE IDCWE-284, CWE-200
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1552Unsecured Credentials
Credential Access
CWE-284
Improper Access Control

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Vulnerability Timeline

Fix commit a9a3df299378d9cbc5f069e3536a369f8188c8ff submitted.
2026-04-06
Pull request #22160 opened.
2026-04-06
Advisory GHSA-V2WJ-Q39Q-566R published.
2026-04-06
Vite v7.3.2 and v8.0.5 released containing the patch.
2026-04-06

References & Sources

  • [1]GitHub Advisory Database: GHSA-V2WJ-Q39Q-566R
  • [2]Fix Commit
  • [3]Fix Pull Request

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 3 hours ago•CVE-2026-48276
10.0

CVE-2026-48276: Unrestricted File Upload in Adobe ColdFusion

Adobe ColdFusion versions 2025.9 and 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434). An unauthenticated remote attacker can exploit this flaw to upload malicious ColdFusion Markup Language (CFML) files directly into web-accessible directories. Accessing the uploaded script triggers arbitrary code execution in the security context of the running service account.

Amit Schendel
Amit Schendel
11 views•6 min read
•about 7 hours ago•CVE-2026-46599
7.5

CVE-2026-46599: Unrestricted Memory Allocation in golang.org/x/image/tiff PackBits Decoder

CVE-2026-46599 (also identified by Go vulnerability alias GO-2026-5032) is a high-severity denial-of-service vulnerability in the Go image repository, specifically within the TIFF decoder's PackBits decompression engine. A lack of resource limits during the parsing of Run-Length Encoded PackBits streams allows an attacker to construct a crafted TIFF image that achieves significant decompression amplification. This flaw enables an unauthenticated remote attacker to exhaust system resources, leading to an Out-of-Memory crash or a prolonged application hang.

Alon Barad
Alon Barad
28 views•7 min read
•3 days ago•CVE-2026-54269
5.3

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

Alon Barad
Alon Barad
11 views•6 min read
•4 days ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
20 views•6 min read
•5 days ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
31 views•8 min read
•5 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
11 views•5 min read