PatchSiren cyber security CVE debrief
CVE-2026-53571 Vitejs CVE debrief
CVE-2026-53571 is a high-severity vulnerability in Vite, a frontend tooling framework for JavaScript. The vulnerability allows the contents of sensitive files, such as .env, .env.*, and *.{crt,pem}, to be returned to the browser on Windows. This occurs because Vite's dev server does not correctly normalize NTFS ADS path forms before access checks are applied. As a result, requests like /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream. The vulnerability is fixed in versions 8.0.16, 7.3.5, and 6.4.3.
- Vendor
- Vitejs
- Product
- Vite
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-24
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-24
Who should care
Developers and administrators using Vite in their projects should be aware of this vulnerability and take immediate action to update to a patched version. This vulnerability has a high CVSS score of 8.2, indicating a significant risk to affected systems. Vite users on Windows are particularly at risk due to the specific nature of the vulnerability.
Technical summary
The vulnerability in Vite arises from the improper handling of file paths on Windows. Specifically, the server.fs.deny configuration is intended to prevent direct access to sensitive files. However, due to a flaw in path normalization, certain requests can bypass these restrictions. For example, a request like /.env::$DATA?raw can return the contents of the .env file. This issue is exacerbated by Windows' support for alternate data streams (ADS) and 8.3 short name compatibility. The flaw is addressed in Vite versions 8.0.16, 7.3.5, and 6.4.3, which correctly normalize paths and enforce access controls.
Defensive priority
This vulnerability should be prioritized for immediate attention due to its high severity and potential impact. Affected Vite users should update to a patched version as soon as possible to mitigate the risk.
Recommended defensive actions
- Update Vite to version 8.0.16, 7.3.5, or 6.4.3, or later.
- Review and restrict access to sensitive files and directories.
- Implement additional monitoring and logging to detect potential exploitation attempts.
- Ensure that server.fs.deny configurations are properly set up and enforced.
- Consider compensating controls, such as web application firewalls, to detect and prevent exploitation.
Evidence notes
The CVE-2026-53571 vulnerability is documented in the official CVE record and the NVD detail page. The vulnerability was publicly disclosed on June 22, 2026, and the CVE record was last modified on June 24, 2026. The vendor, Vitejs, has provided a security advisory on GitHub, which includes mitigation steps and patched versions.
Official resources
-
CVE-2026-53571 CVE record
CVE.org
-
CVE-2026-53571 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
This article is AI-assisted and based on the supplied source corpus.