GHSA-4w7w-66w2-5vf9

ADVISORY - github

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

Create a minimal PoC sourcemap outside the project root

cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF

Start the Vite dev server (example)

pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080

Confirm that direct /@fs access is blocked by strict (returns 403)
Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-200⁠

Exposure of Sensitive Information to an Unauthorized Actor

CWE-22⁠

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.