Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1007

NIXPKGS-2026-1007
published on
Permalink CVE-2026-39364
updated 1 day, 21 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 6 hours ago
  • @LeSuisse removed package vite 1 day, 22 hours ago
  • @LeSuisse removed package vitess 1 day, 22 hours ago
  • @LeSuisse removed package vitetris 1 day, 22 hours ago
  • @LeSuisse removed package python312Packages.django-vite 1 day, 22 hours ago
  • @LeSuisse removed package python313Packages.django-vite 1 day, 22 hours ago
  • @LeSuisse removed package python314Packages.django-vite 1 day, 22 hours ago
  • @LeSuisse removed package vscode-extensions.vitest.explorer 1 day, 22 hours ago
  • @LeSuisse accepted 1 day, 22 hours ago
  • @LeSuisse published on GitHub 1 day, 21 hours ago
Vite has a `server.fs.deny` bypass with queries

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.

Affected products

vite
  • ==>= 8.0.0, < 8.0.5
  • ==>= 7.1.0, < 7.3.2
vite-plus
  • ==< 0.1.16

Matching in nixpkgs

pkgs.vitejs

Frontend tooling for NodeJS

Ignored packages (7)

pkgs.vite

Visual Trace Explorer (ViTE), a tool to visualize execution traces

  • nixos-unstable 1.4
    • nixpkgs-unstable 1.4
    • nixos-unstable-small 1.4
  • nixos-25.11 1.4
    • nixos-25.11-small 1.4
    • nixpkgs-25.11-darwin 1.4

pkgs.vitess

Database clustering system for horizontal scaling of MySQL