<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Development-Server - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/development-server/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 15 Jun 2026 17:24:10 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/development-server/feed.xml" rel="self" type="application/rss+xml"/><item><title>Vite Dev Server `server.fs.deny` Bypass on Windows (CVE-2026-53571)</title><link>https://feed.craftedsignal.io/briefs/2026-06-vite-fs-deny-bypass/</link><pubDate>Mon, 15 Jun 2026 17:24:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-06-vite-fs-deny-bypass/</guid><description>A high-severity vulnerability (CVE-2026-53571) in the Vite development server on Windows allows threat actors to bypass `server.fs.deny` restrictions, leading to information disclosure of sensitive files like `.env` or `tls.pem` via crafted HTTP requests utilizing NTFS Alternate Data Streams or 8.3 short names, impacting applications that expose the dev server to the network.</description><content:encoded><![CDATA[<p>A critical information disclosure vulnerability, tracked as CVE-2026-53571, affects the Vite development server running on Windows. This flaw allows an attacker to bypass security restrictions imposed by <code>server.fs.deny</code>, which is designed to prevent direct access to sensitive files such as <code>.env</code> configurations or TLS certificates (<code>.crt</code>, <code>.pem</code>). The bypass occurs because Vite's deny logic fails to properly normalize Windows-specific path forms, specifically NTFS Alternate Data Streams (ADS) (e.g., <code>::$DATA</code>) and 8.3 short names. When an affected Vite dev server is explicitly exposed to the network (via <code>--host</code> or <code>server.host</code>), and sensitive files reside within allowed <code>server.fs.allow</code> directories on NTFS volumes or volumes with 8.3 short name generation enabled, an attacker can craft specific HTTP requests (e.g., <code>/.env::$DATA?raw</code>) to retrieve the contents of these protected files. This vulnerability affects npm/vite versions &gt;= 8.0.0, &lt;= 8.0.15; &gt;= 7.0.0, &lt;= 7.3.4; &lt;= 6.4.2; and npm/vite-plus &lt;= 0.1.23, posing a significant risk of sensitive information exfiltration for development environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A developer initializes a Vite project and starts the development server on a Windows operating system.</li>
<li>The Vite dev server is explicitly exposed to the network using the <code>--host</code> CLI option or the <code>server.host</code> configuration option.</li>
<li>Sensitive files, such as <code>.env</code> or <code>tls.pem</code>, exist within directories allowed by <code>server.fs.allow</code> and are protected by <code>server.fs.deny</code>.</li>
<li>An attacker, with network access to the exposed Vite dev server, crafts an HTTP GET request containing a Windows-specific alternate path form (e.g., <code>/.env::$DATA</code>) and the <code>?raw</code> parameter.</li>
<li>Vite's <code>server.fs.deny</code> security check is performed against the unnormalized request path, which the logic incorrectly deems as allowed.</li>
<li>The Windows operating system then resolves the <code>::$DATA</code> alternate data stream to the default data stream of the original sensitive file.</li>
<li>Vite's dev server retrieves the content of the sensitive file (e.g., <code>.env</code>) and serves it in the HTTP response.</li>
<li>The attacker successfully exfiltrates the contents of the sensitive file, leading to information disclosure (e.g., API keys, database credentials, certificates).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-53571 leads to unauthorized information disclosure, potentially exposing sensitive data such as API keys, database credentials, or cryptographic keys (e.g., TLS certificates) that are stored in files like <code>.env</code> or <code>*.pem</code>. While directly impacting development environments, such breaches can provide attackers with critical intelligence or credentials to pivot into production systems or sensitive internal resources. The vulnerability primarily affects Vite development environments running on Windows that are inadvertently exposed to untrusted networks. The scope of victims depends on how widely exposed Vite dev servers with sensitive files exist; concrete numbers are not available, but the potential for access to development secrets is high.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-53571</strong>: Immediately update Vite to a patched version to remediate CVE-2026-53571. Refer to the GHSA advisory linked in the references for specific versions.</li>
<li><strong>Network Segmentation</strong>: Ensure development servers, especially those running Vite, are not exposed to untrusted networks (e.g., the internet). Restrict access to <code>localhost</code> or internal subnets as much as possible.</li>
<li><strong>Deploy Detection Rules</strong>: Implement the provided Sigma rules into your SIEM to detect exploitation attempts of CVE-2026-53571 based on suspicious <code>cs-uri-stem</code> and <code>cs-uri-query</code> patterns in webserver logs.</li>
<li><strong>Enable Webserver Logging</strong>: Ensure detailed webserver access logs are enabled and ingested into your SIEM, specifically capturing <code>cs-uri-stem</code> and <code>cs-uri-query</code> to facilitate detection of the patterns identified in this brief.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>information-disclosure</category><category>bypass</category><category>web-vulnerability</category><category>windows</category><category>development-server</category></item></channel></rss>