Technologyglobal✓ verified · 90%

vite: `server.fs.deny` bypass on Windows alternate paths

Name: vite: `server.fs.deny` bypass on Windows alternate paths
Start: 2026-06-15T17:17:45Z
Location: Global (internet)

When: 2026-06-15 17:17 UTC
Where: Global (internet)
Category: cyber_advisory · npm

### Summary The contents of files that are specified by [`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny) can be returned to the browser on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - the sensitive file exists in the allowed directories specified by [`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow) - either of: - the sensitive file exists in an NTFS volume - the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes) ### Details Vite’s dev server denies direct access to sensitive files through `server.fs.deny`, including entries such as `.env`, `.env.*`, and `*.{crt,pem}`. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied. Because of this, requests such as `/.env::$DATA?raw` are treated as allowed paths, while Windows resolves them to the original file's default data stream. Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them. ### PoC ```bash $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev ``` Access via browser at `http://localhost:5173/.env::$DATA?raw` <img width="388" height="129" alt="deecc1315123883cfd0f9c26a002845a" src="https://github.com/user-attachments/assets/895c6012-4e2e-4a35-babb-69bbf3ee7170" /> Example expected result: - `/.env::$DATA?raw` returns the contents of `.env` - `/tls.pem::$DATA?raw` returns the contents of `tls.pem`

Sources

GitHub Advisory Database ↗ · first seen 2026-06-15 17:17 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

← Back to the live map