CVE-2026-53571 | Vite is a frontend tooling framework for JavaScript. Prior t… | CVSS 8.2 HIGH

Description

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.

Metadata

CVE ID: CVE-2026-53571
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-09 19:11 UTC
Published: 2026-06-22 16:10 UTC
Last updated: 2026-06-22 18:07 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: vitejs / vite
Sources: cve.org · NVD

Severity & Metrics

8.2 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
vitejs	vite	—	>= 8.0.0, < 8.0.16, >= 7.0.0, < 7.3.5, < 6.4.3

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.2	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References (1)

https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff