Skip to content

[HIGH] CVE-2026-53571: Package: vite Installed Version: 7.3.2 Vulnerability CVE-2026-53571 Severity:... #126

Description

@github-actions

🟠 High Security Finding

Scanner: Trivy
Rule: CVE-2026-53571
Severity: HIGH
File: pnpm-lock.yaml:1

Description

Package: vite
Installed Version: 7.3.2
Vulnerability CVE-2026-53571
Severity: HIGH
Fixed Version: 8.0.16, 7.3.5, 6.4.3
Link: CVE-2026-53571

Remediation Guidance

Vulnerability CVE-2026-53571
Severity: HIGH
Package: vite
Fixed Version: 8.0.16, 7.3.5, 6.4.3
Link: CVE-2026-53571

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • the sensitive file exists in the allowed directories specified by server.fs.allow
  • either of:
    • the sensitive file exists in an NTFS volume
    • the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)

Details

Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied.
Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.

Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Access via browser at http://localhost:5173/.env::$DATA?raw
deecc1315123883cfd0f9c26a002845a

Example expected result:

  • /.env::$DATA?raw returns the contents of .env
  • /tls.pem::$DATA?raw returns the contents of tls.pem

References


This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability finding

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions