Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53571— Vite: `server.fs.deny` bypass on Windows alternate paths

AI Predicted 5.3 Difficulty: Easy EPSS 0.39% · P31

Affected Version Matrix 3

VendorProductVersion RangeStatus
vitejsvite>= 8.0.0, < 8.0.16affected
>= 7.0.0, < 7.3.5affected
< 6.4.3affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53571

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Vite: `server.fs.deny` bypass on Windows alternate paths
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vite 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Vite是Vite团队开源的一种新型的前端构建工具。 Vite 8.0.16之前版本、7.3.5之前版本和6.4.3之前版本存在安全漏洞,该漏洞源于在Windows上NTFS ADS路径形式未正确规范化以及未拒绝通过8.3短文件名访问文件,可能导致敏感文件内容被返回给浏览器。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
vitejsvite >= 8.0.0, < 8.0.16 -

II. Public POCs for CVE-2026-53571

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53571

登录查看更多情报信息。

Vendor Advisories for CVE-2026-53571 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-53571

No comments yet


Leave a comment