Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1961

NIXPKGS-2026-1961
published 12 hours ago
Vite: `server.fs.deny` bypass on Windows alternate paths
Permalink CVE-2026-53571
8.2 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 12 hours ago by @LeSuisse Activity log
  • Created suggestion 16 hours ago
  • @LeSuisse ignored
    6 packages
    • vite
    • vscode-extensions.vitest.explorer
    • python313Packages.django-vite
    • vitetris
    • python314Packages.django-vite
    • vitess
    12 hours ago
  • @LeSuisse accepted 12 hours ago
  • @LeSuisse published on GitHub 12 hours ago
Vite: `server.fs.deny` bypass on Windows alternate paths

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.

Affected products

vite
  • ==>= 8.0.0, < 8.0.16
  • ==< 6.4.3
  • ==>= 7.0.0, < 7.3.5

Matching in nixpkgs

pkgs.vitejs

Frontend tooling for NodeJS

Ignored packages (6)

pkgs.vite

Visual Trace Explorer (ViTE), a tool to visualize execution traces

  • nixos-unstable 1.4
    • nixpkgs-unstable 1.4
    • nixos-unstable-small 1.4
  • nixos-26.05 1.4
    • nixos-26.05-small 1.4
    • nixpkgs-26.05-darwin 1.4

pkgs.vitess

Database clustering system for horizontal scaling of MySQL