CVE-2026-41211 Overview
CVE-2026-41211 is a path traversal vulnerability [CWE-22] in Vite+, a unified toolchain and entry point for web development from Voidzero. The flaw resides in the downloadPackageManager() function, which accepts an untrusted version string and uses it directly in filesystem paths. An attacker who controls the version value can supply ../ segments or an absolute path to escape the VP_HOME/package_manager/<pm>/ cache root. This allows Vite+ to delete, replace, and populate directories outside the intended cache location. Versions prior to 0.1.17 are affected, and version 0.1.17 contains the patch.
Critical Impact
Local attackers can manipulate filesystem paths through unsanitized version input, leading to arbitrary directory deletion, replacement, and content injection outside the intended cache scope.
Affected Products
- Voidzero Vite+ versions prior to 0.1.17
- Node.js-based deployments of Vite+ toolchain
- Development environments using Vite+ package manager download functionality
Discovery Timeline
- 2026-04-23 - CVE-2026-41211 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-41211
Vulnerability Analysis
The vulnerability stems from improper neutralization of path elements in the downloadPackageManager() function within Vite+. The function receives a version string from caller-controlled input and concatenates it into a filesystem path without sanitization or validation. The intended target directory is VP_HOME/package_manager/<pm>/, which serves as a cache root for downloaded package managers.
Because the version parameter is appended directly to this path, attackers can inject directory traversal sequences such as ../ or supply absolute paths. The resulting path escapes the cache root entirely. Vite+ then performs destructive filesystem operations on the resolved location, including directory deletion, replacement, and population with downloaded content.
The attack vector is local, meaning the attacker must have a means to influence the version argument passed to the vulnerable function. The integrity and availability impact on the affected system are high, while confidentiality is not directly affected.
Root Cause
The root cause is missing input validation on the version parameter consumed by downloadPackageManager(). The function trusts caller-supplied data and uses string concatenation to build filesystem paths. There is no canonicalization step to verify the resolved path remains within VP_HOME/package_manager/<pm>/.
Attack Vector
An attacker influences the version string passed into downloadPackageManager(). By supplying values containing ../../../../etc or an absolute path such as /etc/vite-config, the attacker redirects Vite+ filesystem operations to arbitrary locations. Vite+ then deletes the targeted directory, recreates it, and populates it with downloaded package manager artifacts. This can overwrite configuration files, corrupt application data, or stage malicious content for later execution by other processes. See the GitHub Security Advisory GHSA-33r3-4whc-44c2 for additional technical context.
Detection Methods for CVE-2026-41211
Indicators of Compromise
- Unexpected directories created or deleted outside VP_HOME/package_manager/
- Vite+ process performing filesystem writes to system directories or user configuration paths
- Package manager binaries or archives appearing in unrelated filesystem locations
- Log entries showing version strings containing ../ sequences or absolute paths
Detection Strategies
- Audit Vite+ invocation contexts for caller-controlled version parameters reaching downloadPackageManager()
- Monitor filesystem activity by the Vite+ process for writes outside the expected cache root
- Inspect CI/CD pipeline logs and developer workstation telemetry for anomalous Vite+ directory operations
- Compare installed Vite+ version against the patched release 0.1.17
Monitoring Recommendations
- Enable filesystem auditing on directories adjacent to VP_HOME to capture unauthorized writes
- Alert on Vite+ child processes deleting or recreating directories outside package_manager/
- Track package manager download activity and correlate target paths against the expected cache root
How to Mitigate CVE-2026-41211
Immediate Actions Required
- Upgrade Vite+ to version 0.1.17 or later on all developer workstations and build agents
- Inventory CI/CD pipelines and identify any automation passing user-controlled version strings to Vite+
- Review filesystem state under and adjacent to VP_HOME for evidence of unauthorized modification
- Rotate any secrets or credentials stored in directories that may have been overwritten
Patch Information
Voidzero released the fix in Vite+ version 0.1.17. The patch sanitizes the version parameter consumed by downloadPackageManager() and prevents path traversal outside the cache root. Refer to the GitHub Security Advisory GHSA-33r3-4whc-44c2 for release details.
Workarounds
- Restrict execution of Vite+ to trusted users and isolated build environments until upgrade is complete
- Validate or hardcode the version argument supplied to Vite+ tooling rather than accepting external input
- Run Vite+ under a least-privilege account to limit the scope of filesystem operations
# Upgrade Vite+ to the patched release
npm install vite-plus@0.1.17
# Verify installed version
npm list vite-plus
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
