Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53571

CVE-2026-53571: Vitejs Vite Path Traversal Vulnerability

CVE-2026-53571 is a path traversal vulnerability in Vitejs Vite that allows attackers to bypass file access restrictions on Windows systems. This post covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-53571 Overview

CVE-2026-53571 is a path traversal vulnerability [CWE-22] in Vite, a frontend tooling framework for JavaScript. The flaw affects the development server's server.fs.deny enforcement when running on Microsoft Windows. Attackers can bypass the deny list by appending NTFS Alternate Data Stream (ADS) suffixes such as ::$DATA or by using Windows 8.3 short filename forms. As a result, files intended to be blocked, including .env, .env.*, and *.{crt,pem}, can be served to a remote browser. The issue is fixed in Vite versions 8.0.16, 7.3.5, and 6.4.3.

Critical Impact

Remote attackers can retrieve sensitive configuration files and private keys from Vite dev servers running on Windows, exposing credentials and cryptographic material.

Affected Products

  • Vite (vitejs/vite) versions prior to 8.0.16, 7.3.5, and 6.4.3
  • VoidZero vite+ distributions on affected Vite branches
  • Microsoft Windows hosts running the Vite development server

Discovery Timeline

  • 2026-06-22 - CVE-2026-53571 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-53571

Vulnerability Analysis

Vite's development server exposes project files through an HTTP interface and uses the server.fs.deny option to block requests for sensitive paths. The deny list compares request paths against patterns such as .env, .env.*, and *.{crt,pem}. On Windows, the comparison runs against the raw request path before the operating system resolves Windows-specific filename forms. The vulnerability allows an unauthenticated remote attacker to fetch denied files by issuing crafted GET requests to the dev server. Successful exploitation discloses environment variables, API keys, database credentials, and TLS private keys checked into project directories. The Exploit Prediction Scoring System assigns this issue an EPSS of 0.393%.

Root Cause

The deny logic does not normalize Windows path aliases before applying its pattern checks. Two Windows-specific filename forms slip past the filter. First, NTFS Alternate Data Streams allow filename::$DATA to refer to the default data stream of filename. Second, the 8.3 short filename compatibility feature maps a long filename to a legacy short form that the deny list does not match against. Both forms resolve to the original file once the request reaches the Windows file system APIs.

Attack Vector

An attacker who can reach an exposed Vite dev server sends a request such as /.env::$DATA?raw. The deny check sees a path that does not literally match .env and permits the request. Windows then opens .env and returns its contents. The same technique works through short filename aliases generated by the file system. The attack requires no authentication and no user interaction. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-fx2h-pf6j-xcff.

Detection Methods for CVE-2026-53571

Indicators of Compromise

  • HTTP requests to the Vite dev server containing the literal substring ::$DATA in the URL path or query string.
  • Requests targeting filenames that match the 8.3 short name pattern, such as paths containing a tilde followed by a digit (ENV~1, CONFIG~1).
  • Successful 200 OK responses for paths normally blocked by server.fs.deny, including .env, .env.local, and *.pem.

Detection Strategies

  • Inspect Vite dev server access logs for path components containing ::, $DATA, or tilde-numeric suffixes that indicate short name access.
  • Add web application firewall rules that block any HTTP request URI containing NTFS stream syntax before it reaches Node.js.
  • Correlate dev server requests against a deny list of sensitive filenames and alert when status 200 is returned for those names.

Monitoring Recommendations

  • Forward Node.js process and reverse proxy logs from Windows development hosts to a central log store for review.
  • Alert on dev server processes bound to non-loopback interfaces, since Vite dev servers should not normally be exposed to untrusted networks.
  • Track installed Vite versions across developer workstations and build agents to identify hosts still running affected releases.

How to Mitigate CVE-2026-53571

Immediate Actions Required

  • Upgrade Vite to 8.0.16, 7.3.5, or 6.4.3 on every Windows host running the dev server.
  • Audit project repositories for committed .env, *.pem, and *.crt files and rotate any credentials or certificates that may have been exposed.
  • Restrict the Vite dev server to localhost by setting server.host to 127.0.0.1 until the upgrade is complete.

Patch Information

The Vite maintainers fixed the path normalization logic in versions 8.0.16, 7.3.5, and 6.4.3. The patched code rejects request paths containing NTFS Alternate Data Stream syntax and resolves Windows 8.3 short names before applying server.fs.deny checks. Refer to the Vite Security Advisory GHSA-fx2h-pf6j-xcff for the full fix description.

Workarounds

  • Bind the Vite dev server exclusively to the loopback interface and avoid running it over public or shared networks.
  • Place sensitive files outside of the project root so that requests cannot resolve to them through the dev server's file system handler.
  • Disable NTFS 8.3 short name generation on development volumes using fsutil 8dot3name set 1 and strip existing short names where feasible.
bash
# Configuration example
npm install vite@8.0.16 --save-dev

# Verify installed version
npx vite --version

# Disable 8.3 short name creation on a Windows volume
fsutil 8dot3name set C: 1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.