DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-33R3-4WHC-44C2: GHSA-33R3-4WHC-44C2: Path Traversal and Arbitrary File Write in vite-plus/binding

#security #cve #cybersecurity #ghsa

GHSA-33R3-4WHC-44C2: Path Traversal and Arbitrary File Write in vite-plus/binding

Vulnerability ID: GHSA-33R3-4WHC-44C2
CVSS Score: 8.6
Published: 2026-04-16

A path traversal vulnerability exists in the vite-plus/binding component of the vite-plus npm package prior to version 0.1.17. The downloadPackageManager() function fails to validate the version parameter, allowing programmatic attackers to escape the VP_HOME directory, overwrite arbitrary directories, and write executable shims to unintended filesystem locations.

TL;DR

The downloadPackageManager() function in vite-plus/binding (< 0.1.17) is vulnerable to a path traversal attack via unvalidated version strings. This allows arbitrary file writes and directory manipulation outside the designated VP_HOME directory.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: GHSA-33R3-4WHC-44C2
  • CWE ID: CWE-22
  • CVSS v4.0 Score: 8.6
  • Attack Vector: Local
  • Impact: High Integrity, High Availability
  • Exploit Status: PoC Available
  • Affected Component: vite-plus/binding

Affected Systems

  • vite-plus npm package (< 0.1.17)
  • vite-plus: >= 0, < 0.1.17 (Fixed in: 0.1.17)

Mitigation Strategies

  • Upgrade vite-plus to version 0.1.17 or later.
  • Implement strict semver validation for all version strings before passing them to vite-plus/binding APIs.
  • Restrict the filesystem permissions of the Node.js process to limit the impact of successful arbitrary file writes.
  • Monitor internal dependencies and programmatic API calls for unvalidated user input.

Remediation Steps:

  1. Audit the codebase for programmatic usage of vite-plus/binding's downloadPackageManager().
  2. Update package.json to require vite-plus >= 0.1.17.
  3. Run npm install or pnpm install to update the dependency tree.
  4. If programmatic calls exist, implement pre-validation using the semver package (semver.valid(version)).
  5. Deploy the updated application to production environments.

References

Read the full report for GHSA-33R3-4WHC-44C2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)