Description
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
None
User Interaction
Active
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
None
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
High
Integrity (Subsequent System)
High
Availability (Subsequent System)
High
Affected products
- vitejs / launch-editor< 2.14.1 – < 2.14.1
- vitejs / vite>= 8.0.0, < 8.0.16 – >= 8.0.0, < 8.0.16
- vitejs / vite>= 7.0.0, < 7.3.5 – >= 7.0.0, < 7.3.5
- vitejs / vite< 6.4.3 – < 6.4.3
- vitejs / vite-plus< 0.1.24 – < 0.1.24