What is the severity of CVE-2026-39365?

CVE-2026-39365 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-39365?

No known public exploits are currently available for CVE-2026-39365.

Is there a patch available for CVE-2026-39365?

Yes, patches are available for CVE-2026-39365. Check the vendor advisories for update instructions.

CVE-2026-39365 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-39365?

### Summary Any files ending with `.map` even out side the project can be returned to the browser. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - have a sensitive content in files ending with `.map` and the path is predictable ### Details In Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict) allow list and retrieve `.map` files located outside the project root, provided they can be parsed as valid source map JSON. ### PoC 1. Create a minimal PoC sourcemap outside the project root ```bash cat > /tmp/poc.map <<'EOF' {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""} EOF ``` 2. Start the Vite dev server (example) ```bash pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080 ``` 3. Confirm that direct `/@fs` access is blocked by `strict` (returns 403) 4. Inject `../` segments under the optimized deps `.map` URL prefix to reach `/tmp/poc.map`

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

Create a minimal PoC sourcemap outside the project root

cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF

Start the Vite dev server (example)

pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080

Confirm that direct /@fs access is blocked by strict (returns 403) <img width="4004" height="1038" alt="image" src="https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab" />
Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map <img width="2790" height="846" alt="image" src="https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2" />

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com

Ready for Agentic Automated Testing?

CVE-2026-39365

Summary

Impact

Details

PoC