Description
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.
Severity (CVSS)
| Base score | 5.5 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H |
| Provided by | CNA |
Weaknesses
- CWE-73 — CWE-73: External Control of File Name or Path
- CWE-522 — CWE-522: Insufficiently Protected Credentials
Affected products
| Vendor | Product | Versions |
|---|---|---|
| vitejs | launch-editor | < 2.14.1 |
| vitejs | vite | >= 8.0.0, < 8.0.16; >= 7.0.0, < 7.3.5; < 6.4.3 |
| vitejs | vite-plus | < 0.1.24 |
References
- https://github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3 (x_refsource_CONFIRM)
Generated from the official CVE List on 23 Jun 2026 10:05 UTC.