CVE-2026-53571 in vite
Summary
by MITRE • 06/22/2026
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability affects vite frontend tooling framework versions prior to 8.0.16, 7.3.5, and 6.4.3, where the server.fs.deny configuration mechanism fails to properly handle Windows-specific file system behaviors. The core issue lies in how Vite's development server implements access controls for sensitive files such as .env files and certificate files with extensions like .crt and .pem. While the framework correctly implements deny rules to prevent direct access to these files, the implementation contains a critical flaw in its path normalization logic specifically on Windows operating systems.
The technical flaw stems from Windows NTFS file system behavior where files can be accessed through alternative paths including named data streams and 8.3 short name compatibility features. When Vite processes requests such as /.env::$DATA?raw, it fails to normalize these NTFS ADS (Alternate Data Stream) paths before applying access controls. This allows attackers to bypass the intended file denial restrictions by accessing files through their alternate stream representations. Similarly, Windows' legacy 8.3 short name compatibility feature enables access to files using shortened names, which Vite does not properly filter out during access validation checks.
The operational impact of this vulnerability is significant as it allows unauthorized access to sensitive configuration files and certificates that should remain protected from browser exposure. Attackers can potentially extract environment variables, API keys, and cryptographic materials that are typically stored in .env files or certificate files. This represents a direct violation of the principle of least privilege and could lead to credential theft, system compromise, and data breaches. The vulnerability affects the development server's security model specifically on Windows platforms where these file system features are active.
This vulnerability maps to CWE-22 Improper Limitation of a Pathname to a Restricted Directory and CWE-352 Cross-Site Request Forgery, as it allows unauthorized access to sensitive files through manipulated path requests. From an ATT&CK framework perspective, this corresponds to T1566 Initial Access via credential exposure and T1078 Valid Accounts for privilege escalation. The fix implemented in versions 8.0.16, 7.3.5, and 6.4.3 addresses the root cause by implementing proper NTFS path normalization and ensuring that alternate file access methods are properly rejected during access control validation. Organizations should immediately upgrade to these patched versions and review their development server configurations to ensure that sensitive files remain protected from browser exposure, particularly in environments where Windows operating systems are used for development work.