Vite, Path Traversal, CVE-2025-XXXXX (Medium)

Listen to this Post

How CVE-2025-XXXXX Works

The vulnerability exists in how Vite’s development server handles requests for `.map` (source map) files of optimized dependencies. In versions prior to the patch (e.g., v7.3.1), the server does not properly sanitize `../` path segments when resolving the file location.
1. Request Structure: An attacker sends a crafted HTTP GET request to the Vite dev server (e.g., `http://localhost:5173/__vite_optimized_deps/../../../tmp/poc.map`).
2. Path Resolution: The server’s `readFile` function is called to read the requested `.map` file. However, the function does not restrict or validate `../` sequences in the URL.
3. Bypassing Restrictions: This flaw allows the attacker to escape the project’s root directory (bypassing the `server.fs.strict` allow list) and access any `.map` file on the filesystem, provided the file can be parsed as valid source map JSON.
4. Preconditions: The attack is only possible when the dev server is explicitly exposed to the network using the `–host` flag or `server.host` configuration option, and when the attacker can predict the path to a target `.map` file.
5. Impact: A successful exploit results in the disclosure of sensitive source map files, potentially revealing application source code, API keys, or other secrets embedded in the maps.
6. Patch: The issue was addressed in Vite version 7.3.2 by adding a path traversal check in the optimize deps sourcemap handler (see commit 22161).

DailyCVE Form

Platform: Vite
Version: v7.3.1
Vulnerability: Path Traversal
Severity: Medium
date: 2026-04-07

Prediction: Already patched

What Undercode Say

Check Vite version
npm list vite
Exploit PoC (example request)
curl "http://localhost:5173/__vite_optimized_deps/../../../tmp/poc.map"
Create a test .map file
echo '{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}' > /tmp/poc.map
Start vulnerable server (if using affected version)
npx vite --host 0.0.0.0 --port 5173

Exploit

An attacker can use a simple HTTP GET request with `../` sequences to read arbitrary `.map` files outside the project root, as demonstrated in the PoC above.

Protection from this CVE

Upgrade Vite to version 7.3.2 or later.

Avoid exposing the Vite dev server to untrusted networks (do not use `–host` or `server.host` in production).
Restrict access to the dev server port (e.g., using firewall rules or a reverse proxy with authentication).
Remove or protect sensitive `.map` files from the filesystem.

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary `.map` files on the server, potentially disclosing source code, configuration data, and other sensitive information that may be embedded in source maps.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top