VulnerableCode Package Details - pkg:npm/vite@7.2.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-nh6q-ms28-13ee Aliases: CVE-2026-39365 GHSA-4w7w-66w2-5vf9	Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.	7.3.2 Affected by 0 other vulnerabilities. 8.0.0-beta.0 Affected by 0 other vulnerabilities. 8.0.5 Affected by 0 other vulnerabilities.
VCID-ttfe-2bcz-f3e4 Aliases: CVE-2026-39364 GHSA-v2wj-q39q-566r	Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.	7.3.2 Affected by 0 other vulnerabilities. 8.0.0-beta.0 Affected by 0 other vulnerabilities. 8.0.5 Affected by 0 other vulnerabilities.
VCID-xn8m-3ck8-fufm Aliases: CVE-2026-39363 GHSA-p9ff-h696-f583	Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.	7.3.2 Affected by 0 other vulnerabilities. 8.0.0-beta.0 Affected by 0 other vulnerabilities. 8.0.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-nh6q-ms28-13ee
Aliases:
CVE-2026-39365
GHSA-4w7w-66w2-5vf9

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

7.3.2
Affected by 0 other vulnerabilities.

8.0.0-beta.0
Affected by 0 other vulnerabilities.

8.0.5
Affected by 0 other vulnerabilities.

VCID-ttfe-2bcz-f3e4
Aliases:
CVE-2026-39364
GHSA-v2wj-q39q-566r

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

7.3.2
Affected by 0 other vulnerabilities.

8.0.0-beta.0
Affected by 0 other vulnerabilities.

8.0.5
Affected by 0 other vulnerabilities.

VCID-xn8m-3ck8-fufm
Aliases:
CVE-2026-39363
GHSA-p9ff-h696-f583

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

7.3.2
Affected by 0 other vulnerabilities.

8.0.0-beta.0
Affected by 0 other vulnerabilities.

8.0.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:54:41.150377+00:00	GitLab Importer	Affected by	VCID-xn8m-3ck8-fufm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2026-39363.yml	38.6.0
2026-06-12T21:54:28.363191+00:00	GitLab Importer	Affected by	VCID-ttfe-2bcz-f3e4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2026-39364.yml	38.6.0
2026-06-12T21:54:22.601287+00:00	GitLab Importer	Affected by	VCID-nh6q-ms28-13ee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2026-39365.yml	38.6.0