A moderate-severity path traversal flaw in the vite-plus The npm package (CVE-2026-41211) allows programmatic callers to escape the designated cache directory, potentially enabling attackers to overwrite arbitrary filesystem locations. Versions up to and including 0.1.16 are affected; users should upgrade to 0.1.17 immediately.
Security researchers published GitHub Security Advisory GHSA-33r3-4whc-44c2 last week, disclosing a path traversal vulnerability (CWE-22) in the vite-plus npm package.
The flaw resides in the downloadPackageManager() function exported by the vite-plus/binding module, which accepts an untrusted version string and uses it directly to construct filesystem paths without validating or sanitizing directory traversal sequences such as ../.
CVE-2026-41211: vite-plus Path Traversal
The vulnerability is tracked as CVE-2026-41211 and has been classified as Moderate in the advisory, despite carrying a high base CVSS v4.0 score, due to the limited practical exposure in real-world deployments. All vite-plus versions ≤ 0.1.16 are affected. The issue is fully resolved in version 0.1.17.
At the heart of this vulnerability is a missing input validation step in the Rust-backed binding layer. The downloadPackageManager() function.
When called programmatically, it forwards the options.version value directly into the file system path construction logic used to determine where a downloaded package manager binary will be installed under VP_HOME/package_manager/<pm>/.
The attack chain proceeds in four distinct steps:
- Path construction – The raw version string is interpolated as a path component under
VP_HOME. A value like../../../escapedresolves to a location entirely outside the intended cache root. - Directory removal – Vite+ deletes any pre-existing directory at the resolved target path (attacker-controlled).
- Rename into place – The extracted downloaded package is renamed into the attacker-specified directory.
- Shim file creation – Executable shim files are written into the attacker-controlled directory.
This sequence means the vulnerability does not merely allow reading outside the intended root; it enables arbitrary directory deletion, replacement, and creation under the executing user’s filesystem permissions.
What makes this particularly dangerous is its interaction with the npm_config_registry environment variable. Since vite-plus supports a custom registry override, an attacker who can influence the version parameter can combine the traversal with a malicious registry endpoint to deliver attacker-controlled content to any writable directory on the host.
Proof of Concept
The advisory includes a functional proof-of-concept demonstrating the escape. A local HTTP server is set up to serve a crafted .tgz archive.
The downloadPackageManager() function is invoked with version: "../../../vite-plus-escape". After execution, the resolved installDir falls outside of VP_HOME, and a shimmed binary is confirmed to exist at the traversed path. The PoC requires no elevated privileges, only the ability to run code in the same Node.js process.
The normal vite-plus CLI, including commands like vp create, vp migrate, and vp env validates all version strings using semver::Version::parse() before they are forwarded to downloadPackageManager().
This Rust-level semver parser strictly rejects any string containing path characters, meaning the traversal sequences can never reach the vulnerable code path through standard CLI usage.
The attack surface is therefore confined exclusively to programmatic callers that import vite-plus/binding directly and pass externally supplied or insufficiently sanitized version values to downloadPackageManager().
No known downstream consumers of the binding currently handle untrusted input, a mitigating factor that contributed to the advisory’s Moderate (rather than High) severity classification.
| Metric | Value |
|---|---|
| CVE ID | CVE-2026-41211 |
| Advisory | GHSA-33r3-4whc-44c2 |
| Affected Versions | ≤ 0.1.16 |
| Patched Version | 0.1.17 |
| CWE | CWE-22 (Path Traversal) |
| CVSS v4.0 Base Score | High (VI:H, VA:H, SI:H, SA:H) |
| Advisory Severity | Moderate |
| Exploit Status | No known in-the-wild exploitation |
The CVSS v4.0 base vector CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H reflects the potential for high integrity and availability impacts at both the local and system levels. With threat context applied (E:U, exploitation unlikely), the practical risk is lower, justifying the Moderate advisory rating.
Mitigation
The fix in version 0.1.17 in GitHub Security Advisery introduces proper validation of the version parameter within downloadPackageManager() itself, ensuring that even programmatic callers cannot bypass the server check.
Recommended actions:
- Upgrade immediately to
vite-plus@0.1.17usingnpm install vite-plus@0.1.17ornpm update vite-plus - Audit all programmatic usages of
vite-plus/bindingin your codebase, especially any that pass dynamic or user-supplied version strings todownloadPackageManager() - Restrict
VP_HOMEto a directory with minimal permissions to limit the blast radius if exploitation occurs - Monitor for unexpected directory creation or deletion events in paths adjacent to your
VP_HOMEInstall root as an indicator of potential exploitation
Path traversal (CWE-22) remains one of the most exploited vulnerability classes in the software supply chain ecosystem.
The vite-plus vulnerability follows a familiar pattern seen in tools like MindsDB (CVE-2026-27483) and other build tooling: insufficient input sanitization in a downstream binding layer accessible only through programmatic interfaces, not end-user CLI flows.
This highlights the importance of defense-in-depth validation; every layer of an application, including internal APIs and native bindings, must independently enforce input constraints rather than relying solely on upstream callers.
FAQ
Q1: Does CVE-2026-41211 affect standard vite-plus CLI users?
No, CLI commands (vp create, vp migrate, vp env) perform semver validation before the vulnerable function is reached.
Q2: What is the fix for CVE-2026-41211 in vite-plus?
Upgrade to vite-plus@0.1.17, which validates the version string inside downloadPackageManager() to block traversal sequences.
Q3: Can CVE-2026-41211 be exploited remotely?
No, it requires local code execution in the same Node.js process and is classified with AV:L (local attack vector) in CVSS v4.0.
Q4: What is CWE-22, and why is it dangerous in build tools?
CWE-22 (Path Traversal) lets attackers escape restricted directories using ../ sequences, enabling unauthorized file reads, writes, or deletions in build environments where tools run with broad filesystem permissions.
Site: https://thecybrdef.com
About the Author
