Vite has a Path Traversal in Optimized Deps `.map` Handling

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

N/A

对路径名的限制不恰当(路径遍历)

Vite 路径遍历漏洞

Vite是Vite开源的一种新型的前端构建工具。 Vite 6.0.0至6.4.2之前版本、7.3.2之前版本和8.0.5之前版本存在路径遍历漏洞，该漏洞源于对.map请求的路径遍历限制不足，可能导致绕过允许列表并检索项目根目录外的文件。

N/A

N/A