From 3ff3905f02026f9dda4793ef40c0df0014e1b0f0 Mon Sep 17 00:00:00 2001
From: Efikcoineternal <272495907+efikcoineternal@users.noreply.github.com>
Date: Sun, 19 Apr 2026 20:30:12 +0200
Subject: [PATCH] Improve GHSA-4w7w-66w2-5vf9

---
 .../2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json b/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json
index bf9ea2a228d84..dbbeabbaf39f9 100644
--- a/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json
+++ b/advisories/github-reviewed/2026/04/GHSA-4w7w-66w2-5vf9/GHSA-4w7w-66w2-5vf9.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4w7w-66w2-5vf9",
-  "modified": "2026-04-07T22:16:27Z",
+  "modified": "2026-04-07T22:16:29Z",
   "published": "2026-04-06T18:03:46Z",
   "aliases": [
     "CVE-2026-39365"
   ],
   "summary": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
-  "details": "### Summary\n\nAny files ending with `.map` even out side the project can be returned to the browser.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- have a sensitive content in files ending with `.map` and the path is predictable\n\n### Details\n\nIn Vite v7.3.1, the dev server’s handling of `.map` requests for optimized dependencies resolves file paths and calls `readFile` without restricting `../` segments in the URL. As a result, it is possible to bypass the [`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict) allow list and retrieve `.map` files located outside the project root, provided they can be parsed as valid source map JSON.\n\n### PoC\n1. Create a minimal PoC sourcemap outside the project root\n    ```bash\n    cat > /tmp/poc.map <<'EOF'\n    {\"version\":3,\"file\":\"x.js\",\"sources\":[],\"names\":[],\"mappings\":\"\"}\n    EOF\n    ```\n2. Start the Vite dev server (example)\n    ```bash\n    pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080\n    ```\n3. Confirm that direct `/@fs` access is blocked by `strict` (returns 403)\n    <img width=\"4004\" height=\"1038\" alt=\"image\" src=\"https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab\" />\n4. Inject `../` segments under the optimized deps `.map` URL prefix to reach `/tmp/poc.map`\n    <img width=\"2790\" height=\"846\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2\" />",
+  "details": "const axios = require('axios');\n// Simple check to see if your ECE Wallet dependencies are up to date\nasync function checkDependencies() {\n    const response = await axios.get('https://registry.npmjs.org/@telegram-apps/sdk-react/latest');\n    console.log(`Latest SDK Version: ${response.data.version}`);\n}\ncheckDependencies();\n",
   "severity": [
     {
       "type": "CVSS_V4",