You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
have a sensitive content in files ending with .map and the path is predictable
Details
In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.
PoC
Create a minimal PoC sourcemap outside the project root
the sensitive file exists in the allowed directories specified by server.fs.allow
either of:
the sensitive file exists in an NTFS volume
the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)
Details
Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied.
Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.
Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.
PoC
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
Access via browser at http://localhost:5173/.env::$DATA?raw
Example expected result:
/.env::$DATA?raw returns the contents of .env
/tls.pem::$DATA?raw returns the contents of tls.pem
The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.
Impact
If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the launch-editor:
the user accesses the attackers website that sends request to a middleware using launch-editor
the server that has the middleware using launch-editor is running
the attacker knows the URL for that server and the middleware
This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems.
Details
launch-editor accepts file paths without validating or restricting Windows UNC paths such as:
\\attacker-host\share
On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur.
If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password.
The attacker could target a developer that uses a development server using launch-editor to develop code locally, send them a link and grab their NTLMv2 hash.
PoC
From the attacker side, we will setup an SMB server. I personally used Impacket's smbserver.py, but you could use something like Responder for this as well. For keeping it simple, we will use smbserver.py here.
First, let's create a directory to serve as an SMB share.
Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally (vite).
Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use curl to achieve the same.
Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of smbserver.py and see the NTLMv2 hash coming in.
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: services/frontend/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @sveltejs/vite-plugin-svelte@3.1.2
npm error Found: vite@6.4.3
npm error node_modules/vite
npm error dev vite@"6.4.3" from the root project
npm error peer vite@"^5.0.3 || ^6.0.0 || ^7.0.0-beta.0 || ^8.0.0" from @sveltejs/kit@2.60.1
npm error node_modules/@sveltejs/kit
npm error dev @sveltejs/kit@"2.60.1" from the root project
npm error peer @sveltejs/kit@"^2.0.0" from @sveltejs/adapter-auto@3.3.1
npm error node_modules/@sveltejs/adapter-auto
npm error dev @sveltejs/adapter-auto@"3.3.1" from the root project
npm error 1 more (@sveltejs/adapter-static)
npm error
npm error Could not resolve dependency:
npm error peer vite@"^5.0.0" from @sveltejs/vite-plugin-svelte@3.1.2
npm error node_modules/@sveltejs/vite-plugin-svelte
npm error dev @sveltejs/vite-plugin-svelte@"3.1.2" from the root project
npm error peer @sveltejs/vite-plugin-svelte@"^3.0.0 || ^4.0.0-next.1 || ^5.0.0 || ^6.0.0-next.0 || ^7.0.0" from @sveltejs/kit@2.60.1
npm error node_modules/@sveltejs/kit
npm error dev @sveltejs/kit@"2.60.1" from the root project
npm error 2 more (@sveltejs/adapter-auto, @sveltejs/adapter-static)
npm error 1 more (@sveltejs/vite-plugin-svelte-inspector)
npm error
npm error Conflicting peer dependency: vite@5.4.21
npm error node_modules/vite
npm error peer vite@"^5.0.0" from @sveltejs/vite-plugin-svelte@3.1.2
npm error node_modules/@sveltejs/vite-plugin-svelte
npm error dev @sveltejs/vite-plugin-svelte@"3.1.2" from the root project
npm error peer @sveltejs/vite-plugin-svelte@"^3.0.0 || ^4.0.0-next.1 || ^5.0.0 || ^6.0.0-next.0 || ^7.0.0" from @sveltejs/kit@2.60.1
npm error node_modules/@sveltejs/kit
npm error dev @sveltejs/kit@"2.60.1" from the root project
npm error 2 more (@sveltejs/adapter-auto, @sveltejs/adapter-static)
npm error 1 more (@sveltejs/vite-plugin-svelte-inspector)
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-07-12T12_27_42_350Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-07-12T12_27_42_350Z-debug-0.log
renovateBot
changed the title
chore(deps): update dependency vite to v6 [security]
chore(deps): update dependency vite to v6 [security] - autoclosed
Apr 27, 2026
renovateBot
changed the title
chore(deps): update dependency vite to v6 [security] - autoclosed
chore(deps): update dependency vite to v6 [security]
Apr 27, 2026
renovateBot
changed the title
chore(deps): update dependency vite to v6 [security]
chore(deps): update dependency vite to v6 [security] - autoclosed
May 6, 2026
renovateBot
changed the title
chore(deps): update dependency vite to v6 [security] - autoclosed
chore(deps): update dependency vite to v6 [security]
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.4.21→6.4.3Vite Vulnerable to Path Traversal in Optimized Deps
.mapHandlingCVE-2026-39365 / GHSA-4w7w-66w2-5vf9
More information
Details
Summary
Any files ending with
.mapeven out side the project can be returned to the browser.Impact
Only apps that match the following conditions are affected:
--hostorserver.hostconfig option).mapand the path is predictableDetails
In Vite v7.3.1, the dev server’s handling of
.maprequests for optimized dependencies resolves file paths and callsreadFilewithout restricting../segments in the URL. As a result, it is possible to bypass theserver.fs.strictallow list and retrieve.mapfiles located outside the project root, provided they can be parsed as valid source map JSON.PoC
/@​fsaccess is blocked bystrict(returns 403)../segments under the optimized deps.mapURL prefix to reach/tmp/poc.mapSeverity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
vite:
server.fs.denybypass on Windows alternate pathsCVE-2026-53571 / GHSA-fx2h-pf6j-xcff
More information
Details
Summary
The contents of files that are specified by
server.fs.denycan be returned to the browser on Windows.Impact
Only apps that match the following conditions are affected:
--hostorserver.hostconfig option)server.fs.allowDetails
Vite’s dev server denies direct access to sensitive files through
server.fs.deny, including entries such as.env,.env.*, and*.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied.Because of this, requests such as
/.env::$DATA?raware treated as allowed paths, while Windows resolves them to the original file's default data stream.Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.
PoC
$ npm create vite@latest $ cd vite-project/ $ npm install $ npm run devAccess via browser at

http://localhost:5173/.env::$DATA?rawExample expected result:
/.env::$DATA?rawreturns the contents of.env/tls.pem::$DATA?rawreturns the contents oftls.pemSeverity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
CVE-2026-53632 / GHSA-v6wh-96g9-6wx3
More information
Details
Summary
The
launch-editorNPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.Impact
If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the
launch-editor:launch-editorlaunch-editoris runningThis would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems.
Details
launch-editoraccepts file paths without validating or restricting Windows UNC paths such as:On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt to the remote SMB server. No user interaction or warning is required for this authentication attempt to occur.
If an attacker controls the SMB server referenced by the UNC path the victim’s NTLMv2 hash is transmitted to the attacker. The attacker can then capture the hash and perform offline password cracking. Successful cracking reveals the victim’s cleartext password.
The attacker could target a developer that uses a development server using
launch-editorto develop code locally, send them a link and grab their NTLMv2 hash.PoC
From the attacker side, we will setup an SMB server. I personally used Impacket's smbserver.py, but you could use something like Responder for this as well. For keeping it simple, we will use
smbserver.pyhere.First, let's create a directory to serve as an SMB share.
Then, start the SMB server.
Now, run any project that uses the launch-editor package. I have setup a simple "Hello world" project that uses Vite to do this. Then run the project locally (
vite).Now last, we will open a browser window and navigate to the URL used by the launch-editor package to trigger the NTLM authentication. Or we can use
curlto achieve the same.Note the IP address in the HTTP request, and make sure it connects to the IP address of the SMB server. Now we can look at the logs of
smbserver.pyand see the NTLMv2 hash coming in.Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitejs/vite (vite)
v6.4.3Compare Source
Please refer to CHANGELOG.md for details.
v6.4.2Compare Source
Please refer to CHANGELOG.md for details.
v6.4.1Compare Source
Please refer to CHANGELOG.md for details.
v6.4.0Compare Source
Please refer to CHANGELOG.md for details.
v6.3.7Compare Source
Please refer to CHANGELOG.md for details.
v6.3.6Compare Source
Please refer to CHANGELOG.md for details.
v6.3.5Compare Source
Today, we're excited to announce the release of the next Vite major:
⚠ BREAKING CHANGES
Objectvariable in ssr transformed code (#19996)experimental.skipSsrTransformoption (#20038)HotBroadcaster(#19988)build.targetand name itbaseline-widely-available(#20007)HotBroadcasterrelated types (#19987)enforce/transformfromtransformIndexHtmlhook (#19349)Features
configurePreviewServerhook (#20224) (b989c42)configureServerhook (#20222) (f5cc4c0)this.meta.viteVersion(#20088) (f55bf41)createServer(#19894) (c1ae9bd)build.targetand name itbaseline-widely-available(#20007) (4a8aa82)css.preprocessorMaxWorkersand default totrue(#19992) (70aee13)optimizeDeps.noDiscovery(#19984) (6d2dcb4)Bug Fixes
import.meta.urlin bundled Vite (#20235) (3bf3a8a)ssrExportNameKey(#20266) (ac302a7)normalizeModuleId(#20277) (9b98dcb).then(m => m.a)(#20117) (7b7410a)build.rollupOptions.inputresolution with rollup (#20080) (9759c29)Objectvariable in ssr transformed code (#19996) (fceff60)preprocessorOptions.sass(fix #20150) (#20166) (7db56be)cleanGlobalCLIOptions()clean--force(#19999) (d4a171a)environments.*.resolve.noExternalproperly (#20077) (daf4a25)server.allowedHosts: truecorrectly (#20138) (2ade756)computeEntriesfailed (#20079) (b742b46)optimizeDeps.entriesvalues as globs (#20045) (1422395)Performance Improvements
numberToPos(#20244) (3f46901)Documentation
Miscellaneous Chores
ResolvedConfig.createResolverand recommendcreateIdResolver(#20031) (d101d64)devEnvironmentOptions.moduleRunnerTransform(#20035) (338081d)patch-typesplugin for bundling vite (#20089) (c127955)Code Refactoring
src/node/publicUtils.tstosrc/node/index.ts(#20086) (999a1ed)experimental.skipSsrTransformoption (#20038) (6c3dd8e)HotBroadcaster(#19988) (cda8c94)options?.ssrsupport in clientInjectionsPlugin (#19589) (88e0076)HotBroadcasterrelated types (#19987) (86b5e00)enforce/transformfromtransformIndexHtmlhook (#19349) (6198b9d)legacy.proxySsrExternalModules(#20013) (a37ac83)hostValidationMiddleware(#20019) (83bf90e)mergeWithDefaultsfor experimental option (#20012) (98c5741)Tests
useDefineForClassFieldstest (#20143) (d90796e)Continuous Integration
Beta Changelogs
7.0.0-beta.2 (2025-06-17)
See 7.0.0-beta.2 changelog
7.0.0-beta.1 (2025-06-10)
See 7.0.0-beta.1 changelog
7.0.0-beta.0 (2025-06-02)
See 7.0.0-beta.0 changelog
v6.3.4Compare Source
Bug Fixes
requireto import externals in optimized dependencies (#19940) (efc5eab)Code Refactoring
v6.3.3Compare Source
Bug Fixes
Performance Improvements
Tests
ssrTransformre-export deps and test stacktrace with first line (#19629) (9399cda)v6.3.2Compare Source
Features
Bug Fixes
css.lightningcssoption in css minification process (#19879) (b5055e0)v6.3.1Compare Source
Bug Fixes
Promise.allSettledin preload function (#19805) (35c7f35)transformcalls (#19878) (a152b7c)v6.3.0Compare Source
Bug Fixes
hot.invalidatein circular deps (#19870) (d4ee5e8)v6.2.7Compare Source
Please refer to CHANGELOG.md for details.
v6.2.6Compare Source
Please refer to CHANGELOG.md for details.
v6.2.5Compare Source
Please refer to CHANGELOG.md for details.
v6.2.4Compare Source
Please refer to CHANGELOG.md for details.
v6.2.3Compare Source
Please refer to CHANGELOG.md for details.
v6.2.2Compare Source
Features
base(#19616) (2476391)Bug Fixes
ssrRewriteStacktrace(#19612) (4309755)Miscellaneous Chores
v6.2.1Compare Source
Features
*?url&no-inlinetype and warning for.json?inline/.json?no-inline(#19566) (c0d3667)Bug Fixes
Performance Improvements
Miscellaneous Chores
Code Refactoring
isBuildcheck from preAliasPlugin (#19587) (c9e086d)applyToEnvironmentin internal plugins (#19588) (f678442)Tests
v6.2.0Compare Source
Bug Fixes
Miscellaneous Chores
v6.1.6Compare Source
Please refer to CHANGELOG.md for details.
v6.1.5Compare Source
Please refer to CHANGELOG.md for details.
v6.1.4Compare Source
Please refer to CHANGELOG.md for details.
v6.1.3Compare Source
Please refer to CHANGELOG.md for details.
v6.1.2Compare Source
Please refer to CHANGELOG.md for details.
v6.1.1Compare Source
Features
Bug Fixes
.[cm]?[tj]sx?static assets are JS mime (#19453) (e7ba55e)*.ipv4address in cert (#19416) (973283b)Miscellaneous Chores
Code Refactoring
v6.1.0Compare Source
Features
Bug Fixes
.[cm]?[tj]sx?static assets are JS mime (#19453) (e7ba55e)*.ipv4address in cert (#19416) (973283b)Miscellaneous Chores
Code Refactoring
v6.0.15Compare Source
Please refer to CHANGELOG.md for details.
v6.0.14Compare Source
Please refer to CHANGELOG.md for details.
v6.0.13Compare Source
Please refer t
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.