关联漏洞
标题:Vite 路径遍历漏洞 (CVE-2026-39365)Description:Vite是Vite开源的一种新型的前端构建工具。 Vite 6.0.0至6.4.2之前版本、7.3.2之前版本和8.0.5之前版本存在路径遍历漏洞,该漏洞源于对.map请求的路径遍历限制不足,可能导致绕过允许列表并检索项目根目录外的文件。
Description
Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePath(path.resolve(root, url.slice(1))) and calls readFile without restricting ../ segments in the URL. This allows an attacker to bypass server.fs.strict and retrieve auto-generated sourcemaps for files located outside the project root, leaking absolute filesystem paths. Only dev servers explicitly exposed to the network using --host or server.host are affected.
文件快照
id: CVE-2026-39365
info:
name: Vite Dev Server - Path Traversal in Optimized Deps .map Handling
...
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。