DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-4W7W-66W2-5VF9: GHSA-4W7W-66W2-5VF9: Path Traversal in Vite transformMiddleware Source Map Handling

#security #cve #cybersecurity #ghsa

GHSA-4W7W-66W2-5VF9: Path Traversal in Vite transformMiddleware Source Map Handling

Vulnerability ID: GHSA-4W7W-66W2-5VF9
CVSS Score: 5.3
Published: 2026-04-06

A path traversal vulnerability exists in the Vite development server's transform middleware, allowing attackers to read restricted files ending in '.map' that contain valid JSON data.

TL;DR

Vite dev server lacks boundary checks on source map requests, enabling arbitrary file reads of JSON-formatted .map files via directory traversal.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network / Local
  • Impact: Arbitrary File Read (Constrained)
  • Exploit Status: Proof of Concept Available
  • Component: transformMiddleware
  • Patch Status: Patched

Affected Systems

  • Vite development server (vite npm package)
  • vite: < 6.4.2 (Fixed in: 6.4.2)
  • vite: >= 7.0.0, < 7.3.2 (Fixed in: 7.3.2)
  • vite: >= 8.0.0, < 8.0.5 (Fixed in: 8.0.5)

Code Analysis

Commit: 79f002f

Fix path traversal vulnerability in transformMiddleware by introducing depsOptimizer verification

          const sourcemapPath = url.startsWith(FS_PREFIX)
            ? fsPathFromId(url)
            : normalizePath(path.resolve(server.config.root, url.slice(1)))
+         // url may contain relative path that may resolve outside of the optimized deps directory
+         if (!depsOptimizer.isOptimizedDepFile(sourcemapPath)) {
+           return next()
+         }
          try {
            const map = JSON.parse(
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Vite to a patched version (6.4.2, 7.3.2, or 8.0.5)
  • Restrict Vite development server network binding to localhost (127.0.0.1)
  • Monitor incoming HTTP requests for excessive directory traversal patterns ('../')

Remediation Steps:

  1. Identify the current Vite version specified in package.json
  2. Run npm update vite, yarn upgrade vite, or pnpm update vite to install the patched release
  3. Verify the installed version using npm list vite to ensure it matches or exceeds the fixed versions
  4. Remove any --host 0.0.0.0 flags from package.json scripts unless running in a secure, isolated container

References

Read the full report for GHSA-4W7W-66W2-5VF9 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)