{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vite--6.4.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*","cpe:2.3:a:voidzero:vite\\+:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-53571"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":["https://sploitus.com/exploit?id=5102680F-B61E-58F4-BFE2-6D894F92EE59\u0026utm_source=rss\u0026utm_medium=rss"],"_cs_products":["Vite (\u003e= 8.0.0, \u003c= 8.0.15)","Vite (\u003e= 7.0.0, \u003c= 7.3.4)","Vite (\u003c= 6.4.2)","vite-plus (\u003c= 0.1.23)","Vite"],"_cs_severities":["high"],"_cs_tags":["information-disclosure","bypass","web-vulnerability","windows","development-server"],"_cs_type":"advisory","_cs_vendors":["Vite","Vitejs"],"content_html":"\u003cp\u003eA critical information disclosure vulnerability, tracked as CVE-2026-53571, affects the Vite development server running on Windows. This flaw allows an attacker to bypass security restrictions imposed by \u003ccode\u003eserver.fs.deny\u003c/code\u003e, which is designed to prevent direct access to sensitive files such as \u003ccode\u003e.env\u003c/code\u003e configurations or TLS certificates (\u003ccode\u003e.crt\u003c/code\u003e, \u003ccode\u003e.pem\u003c/code\u003e). The bypass occurs because Vite's deny logic fails to properly normalize Windows-specific path forms, specifically NTFS Alternate Data Streams (ADS) (e.g., \u003ccode\u003e::$DATA\u003c/code\u003e) and 8.3 short names. When an affected Vite dev server is explicitly exposed to the network (via \u003ccode\u003e--host\u003c/code\u003e or \u003ccode\u003eserver.host\u003c/code\u003e), and sensitive files reside within allowed \u003ccode\u003eserver.fs.allow\u003c/code\u003e directories on NTFS volumes or volumes with 8.3 short name generation enabled, an attacker can craft specific HTTP requests (e.g., \u003ccode\u003e/.env::$DATA?raw\u003c/code\u003e) to retrieve the contents of these protected files. This vulnerability affects npm/vite versions \u0026gt;= 8.0.0, \u0026lt;= 8.0.15; \u0026gt;= 7.0.0, \u0026lt;= 7.3.4; \u0026lt;= 6.4.2; and npm/vite-plus \u0026lt;= 0.1.23, posing a significant risk of sensitive information exfiltration for development environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer initializes a Vite project and starts the development server on a Windows operating system.\u003c/li\u003e\n\u003cli\u003eThe Vite dev server is explicitly exposed to the network using the \u003ccode\u003e--host\u003c/code\u003e CLI option or the \u003ccode\u003eserver.host\u003c/code\u003e configuration option.\u003c/li\u003e\n\u003cli\u003eSensitive files, such as \u003ccode\u003e.env\u003c/code\u003e or \u003ccode\u003etls.pem\u003c/code\u003e, exist within directories allowed by \u003ccode\u003eserver.fs.allow\u003c/code\u003e and are protected by \u003ccode\u003eserver.fs.deny\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn attacker, with network access to the exposed Vite dev server, crafts an HTTP GET request containing a Windows-specific alternate path form (e.g., \u003ccode\u003e/.env::$DATA\u003c/code\u003e) and the \u003ccode\u003e?raw\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eVite's \u003ccode\u003eserver.fs.deny\u003c/code\u003e security check is performed against the unnormalized request path, which the logic incorrectly deems as allowed.\u003c/li\u003e\n\u003cli\u003eThe Windows operating system then resolves the \u003ccode\u003e::$DATA\u003c/code\u003e alternate data stream to the default data stream of the original sensitive file.\u003c/li\u003e\n\u003cli\u003eVite's dev server retrieves the content of the sensitive file (e.g., \u003ccode\u003e.env\u003c/code\u003e) and serves it in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates the contents of the sensitive file, leading to information disclosure (e.g., API keys, database credentials, certificates).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53571 leads to unauthorized information disclosure, potentially exposing sensitive data such as API keys, database credentials, or cryptographic keys (e.g., TLS certificates) that are stored in files like \u003ccode\u003e.env\u003c/code\u003e or \u003ccode\u003e*.pem\u003c/code\u003e. While directly impacting development environments, such breaches can provide attackers with critical intelligence or credentials to pivot into production systems or sensitive internal resources. The vulnerability primarily affects Vite development environments running on Windows that are inadvertently exposed to untrusted networks. The scope of victims depends on how widely exposed Vite dev servers with sensitive files exist; concrete numbers are not available, but the potential for access to development secrets is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-53571\u003c/strong\u003e: Immediately update Vite to a patched version to remediate CVE-2026-53571. Refer to the GHSA advisory linked in the references for specific versions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Segmentation\u003c/strong\u003e: Ensure development servers, especially those running Vite, are not exposed to untrusted networks (e.g., the internet). Restrict access to \u003ccode\u003elocalhost\u003c/code\u003e or internal subnets as much as possible.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Detection Rules\u003c/strong\u003e: Implement the provided Sigma rules into your SIEM to detect exploitation attempts of CVE-2026-53571 based on suspicious \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e patterns in webserver logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Webserver Logging\u003c/strong\u003e: Ensure detailed webserver access logs are enabled and ingested into your SIEM, specifically capturing \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e to facilitate detection of the patterns identified in this brief.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T03:00:50Z","date_published":"2026-06-15T17:24:10Z","id":"https://feed.craftedsignal.io/briefs/2026-06-vite-fs-deny-bypass/","summary":"A high-severity vulnerability (CVE-2026-53571) in the Vite development server on Windows allows threat actors to bypass `server.fs.deny` restrictions, leading to information disclosure of sensitive files like `.env` or `tls.pem` via crafted HTTP requests utilizing NTFS Alternate Data Streams or 8.3 short names, impacting applications that expose the dev server to the network.","title":"Vite Dev Server `server.fs.deny` Bypass on Windows (CVE-2026-53571)","url":"https://feed.craftedsignal.io/briefs/2026-06-vite-fs-deny-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Vite (\u003c= 6.4.2)","version":"https://jsonfeed.org/version/1.1"}