EXECUTIVE SUMMARY:
CVE-2026-53571 with a CVSS score of 7.5 is a vulnerability in the Vite development server (npm package) that affects versions 6.4.2 and earlier, 7.0.0 through 7.3.4, 8.0.0 through 8.0.15, as well as vite‑plus up to 0.1.23; it allows bypass of the `server.fs.deny` configuration on Windows by exploiting alternate path forms such as NTFS alternate data streams (ADS) and 8.3 short‑name aliases. The flaw arises because Vite’s deny logic fails to normalize these Windows‑specific path representations before performing access checks, so a request like `/.env::$DATA?raw` or a short‑name variant is treated as permitted and the underlying file’s contents are served to the browser. An attacker can exploit this by sending a crafted HTTP request to a Vite dev server that is deliberately exposed to the network (using `--host` or `server.host`) and where the target file resides in a directory listed in `server.fs.allow`. Successful exploitation yields read‑only access to sensitive files such as `.env`, certificate or key files, effectively leaking credentials, configuration secrets, or private keys. The business impact includes unauthorized disclosure of confidential environment variables, potential credential reuse, and escalation to broader compromises of application infrastructure. Exploitation requires the server to run on Windows with 8.3 short‑name generation enabled (default on system volumes) or on an NTFS volume, and the victim application must expose the dev server externally.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-53571 with a CVSS score of 7.5 is a vulnerability in the Vite development server (npm package) that affects versions 6.4.2 and earlier, 7.0.0 through 7.3.4, 8.0.0 through 8.0.15, as well as vite‑plus up to 0.1.23; it allows bypass of the `server.fs.deny` configuration on Windows by exploiting alternate path forms such as NTFS alternate data streams (ADS) and 8.3 short‑name aliases. The flaw arises because Vite’s deny logic fails to normalize these Windows‑specific path representations before performing access checks, so a request like `/.env::$DATA?raw` or a short‑name variant is treated as permitted and the underlying file’s contents are served to the browser. An attacker can exploit this by sending a crafted HTTP request to a Vite dev server that is deliberately exposed to the network (using `--host` or `server.host`) and where the target file resides in a directory listed in `server.fs.allow`. Successful exploitation yields read‑only access to sensitive files such as `.env`, certificate or key files, effectively leaking credentials, configuration secrets, or private keys. The business impact includes unauthorized disclosure of confidential environment variables, potential credential reuse, and escalation to broader compromises of application infrastructure. Exploitation requires the server to run on Windows with 8.3 short‑name generation enabled (default on system volumes) or on an NTFS volume, and the victim application must expose the dev server externally.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-fx2h-pf6j-xcff