Vite: `server.fs.deny` bypass on Windows alternate paths_CVE-2026-53571

8.2 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.

Basic Information

ID CVE-2026-53571

Source GitHub_M

Published Jun 22, 2026 at 16:10

Affected Product

Vendor vitejs

Product vite

Version >= 8.0.0, < 8.0.16

Affected Versions vitejs vite >= 8.0.0, < 8.0.16
vitejs vite >= 7.0.0, < 7.3.5
vitejs vite < 6.4.3

CWE Classification

CWE-22 CWE-200

References

github.com /vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff

{
    "lastseen": "",
    "description": "Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite\u2019s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.",
    "published": "2026-06-22T16:10:58.500Z",
    "modified": "2026-06-22T16:10:58.500Z",
    "type": "cve",
    "title": "Vite: `server.fs.deny` bypass on Windows alternate paths",
    "source": "GitHub_M",
    "references": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff",
    "id": "CVE-2026-53571",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "vitejs vite >= 8.0.0, < 8.0.16\nvitejs vite >= 7.0.0, < 7.3.5\nvitejs vite < 6.4.3",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vite",
    "version": ">= 8.0.0, < 8.0.16",
    "vendor": "vitejs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}