Description
Any files ending with .map even out side the project can be returned to the browser.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **<= 6.4.1 >= 7.0.0, <= 7.3.1 >= 8.0.0, <= 8.0.4** Patched version(s): **6.4.2 7.3.2 8.0.5**
References
Related Issues
- @google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script - CVE-2026-4092
- nanotar is vulnerable to path traversal in parseTar() and parseTarGzip() - CVE-2025-69874
- FUXA Affected by a Path Traversal Sanitization Bypass - CVE-2026-25951
- Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service - CVE-2022-35204
You might also like:
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on April 07, 2026


