Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3.
Vite: `server.fs.deny` bypass on Windows alternate paths
Problem type
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Affected products
vitejs
>= 8.0.0, < 8.0.16 - AFFECTED
>= 7.0.0, < 7.3.5 - AFFECTED
< 6.4.3 - AFFECTED
References
GitHub Security Advisories
GHSA-fx2h-pf6j-xcff
vite: `server.fs.deny` bypass on Windows alternate paths
https://github.com/advisories/GHSA-fx2h-pf6j-xcffSummary
The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.
Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using
--hostorserver.hostconfig option) - the sensitive file exists in the allowed directories specified by
server.fs.allow - either of:
- the sensitive file exists in an NTFS volume
- the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)
Details
Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied.
Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.
Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.
PoC
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
Access via browser at http://localhost:5173/.env::$DATA?raw
Example expected result:
/.env::$DATA?rawreturns the contents of.env/tls.pem::$DATA?rawreturns the contents oftls.pem
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-53571Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-53571",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T18:07:53.961Z",
"dateReserved": "2026-06-09T19:11:53.483Z",
"datePublished": "2026-06-22T16:10:58.500Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T16:10:58.500Z"
},
"title": "Vite: `server.fs.deny` bypass on Windows alternate paths",
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. This vulnerability is fixed in 8.0.16, 7.3.5, and 6.4.3."
}
],
"affected": [
{
"vendor": "vitejs",
"product": "vite",
"versions": [
{
"version": ">= 8.0.0, < 8.0.16",
"status": "affected"
},
{
"version": ">= 7.0.0, < 7.3.5",
"status": "affected"
},
{
"version": "< 6.4.3",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"cweId": "CWE-200",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff",
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T18:07:53.961Z"
},
"title": "CISA ADP Vulnrichment",
"references": [
{
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff",
"tags": [
"exploit"
]
}
],
"metrics": [
{}
]
}
]
}
}