Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit bb3024a3c691 · 2026-04-06T18:06:19.000Z
GHSA-4w7w-66w2-5vf9 GHSA-p9ff-h696-f583 GHSA-v2wj-q39q-566r GHSA-xqv9-qr76-hfq2
diff --git a/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json b/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json
@@ -0,0 +1,123 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4w7w-66w2-5vf9",
+  "modified": "2026-04-06T18:03:46Z",
+  "published": "2026-04-06T18:03:46Z",
+  "aliases": [],
+  "summary": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
+  "details": "### Summary\n\nAny files ending with `.map` even out side the project can be returned to the browser.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- have a sensitive content in files ending with `.map` and the path is predictable\n\n### Details\n\nIn Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict) allow list and retrieve `.map` files located outside the project root, provided they can be parsed as valid source map JSON.\n\n### PoC\n1. Create a minimal PoC sourcemap outside the project root\n    ```bash\n    cat > /tmp/poc.map <<'EOF'\n    {\"version\":3,\"file\":\"x.js\",\"sources\":[],\"names\":[],\"mappings\":\"\"}\n    EOF\n    ```\n2. Start the Vite dev server (example)\n    ```bash\n    pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080\n    ```\n3. Confirm that direct `/@fs` access is blocked by `strict` (returns 403)\n    <img width=\"4004\" height=\"1038\" alt=\"image\" src=\"https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab\" />\n4. Inject `../` segments under the optimized deps `.map` URL prefix to reach `/tmp/poc.map`\n    <img width=\"2790\" height=\"846\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2\" />",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "vite"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.0.0"
+            },
+            {
+              "fixed": "8.0.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 8.0.4"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "vite"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0"
+            },
+            {
+              "fixed": "7.3.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 7.3.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "vite"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.4.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.4.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/pull/22161"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vitejs/vite"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/releases/tag/v6.4.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/releases/tag/v7.3.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/releases/tag/v8.0.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T18:03:46Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-p9ff-h696-f583/GHSA-p9ff-h696-f583.json b/advisories/github-reviewed/2026/04/GHSA-p9ff-h696-f583/GHSA-p9ff-h696-f583.json
@@ -0,0 +1,123 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p9ff-h696-f583",
+  "modified": "2026-04-06T18:03:24Z",
+  "published": "2026-04-06T18:03:24Z",
+  "aliases": [],
+  "summary": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket",
+  "details": "### Summary\n\n[`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket. \n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- WebSocket is not disabled by `server.ws: false`\n\nArbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.\n\n### Details\n\nIf it is possible to connect to the Vite dev server’s WebSocket **without an `Origin` header**, an attacker can invoke `fetchModule` via the custom WebSocket event `vite:invoke` and combine `file://...` with `?raw` (or `?inline`) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., `export default \"...\"`).\n\nThe access control enforced in the HTTP request path (such as `server.fs.allow`) is not applied to this WebSocket-based execution path.\n\n### PoC\n\n1. Start the dev server on the target \n   Example (used during validation with this repository):\n   ```bash\n   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173\n   ```\n\n2. Confirm that access is blocked via the HTTP path (example: arbitrary file)\n   ```bash\n   curl -i 'http://localhost:5173/@fs/etc/passwd?raw'\n   ```\n   Result: `403 Restricted` (outside the allow list)\n   <img width=\"3898\" height=\"1014\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af\" />\n\n3. Confirm that the same file can be retrieved via the WebSocket path\n   By connecting to the HMR WebSocket without an `Origin` header and sending a `vite:invoke` request that calls `fetchModule` with a `file://...` URL and `?raw`, the file contents are returned as a JavaScript module.\n  <img width=\"1049\" height=\"296\" alt=\"image\" src=\"https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972\" />\n  <img width=\"1382\" height=\"955\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7\" />",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "vite"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.0.0"
+            },
+            {
+              "fixed": "8.0.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 8.0.4"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "vite"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0"
+            },
+            {
+              "fixed": "7.3.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 7.3.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "vite"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.0.0"
+            },
+            {
+              "fixed": "6.4.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.4.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/pull/22159"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vitejs/vite"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/releases/tag/v6.4.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/releases/tag/v7.3.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/releases/tag/v8.0.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200",
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T18:03:24Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-v2wj-q39q-566r/GHSA-v2wj-q39q-566r.json b/advisories/github-reviewed/2026/04/GHSA-v2wj-q39q-566r/GHSA-v2wj-q39q-566r.json
@@ -0,0 +1,97 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v2wj-q39q-566r",
+  "modified": "2026-04-06T18:03:32Z",
+  "published": "2026-04-06T18:03:32Z",
+  "aliases": [],
+  "summary": "Vite: `server.fs.deny` bypassed with queries",
+  "details": "### Summary\n\nThe contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow)\n- the sensitive file is denied with a pattern that matches a file by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)\n\n### Details\n\nOn the Vite dev server, files that should be blocked by `server.fs.deny` (e.g., `.env`, `*.crt`) can be retrieved with HTTP 200 responses when query parameters such as `?raw`, `?import&raw`, or `?import&url&inline` are appended.\n\n### PoC\n\n1. Start the dev server: `pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort`\n2. Confirm that `server.fs.deny` is enforced (expect 403): `curl -i http://127.0.0.1:5175/src/.env | head -n 20`\n   <img width=\"3944\" height=\"1092\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f\" />\n3. Confirm that the same files can be retrieved with query parameters (expect 200):\n   <img width=\"2014\" height=\"373\" alt=\"image\" src=\"https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8\" />",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "vite"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.0.0"
+            },
+            {
+              "fixed": "8.0.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 8.0.4"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "vite"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.1.0"
+            },
+            {
+              "fixed": "7.3.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 7.3.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/pull/22160"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/commit/a9a3df299378d9cbc5f069e3536a369f8188c8ff"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vitejs/vite"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/releases/tag/v7.3.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite/releases/tag/v8.0.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-180",
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T18:03:32Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-xqv9-qr76-hfq2/GHSA-xqv9-qr76-hfq2.json b/advisories/github-reviewed/2026/04/GHSA-xqv9-qr76-hfq2/GHSA-xqv9-qr76-hfq2.json
