Vite · Vite · CVE-2026-39363
Name of the Vulnerable Software and Affected Versions
Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5
Description
Vite, a frontend tooling framework for JavaScript, had a flaw where the `server.fs` check was not enforced for the `fetchModule` method exposed in the Vite dev server’s WebSocket. If a connection to the Vite dev server’s WebSocket could be established without an Origin header, an attacker could invoke `fetchModule` via the custom WebSocket event `vite:invoke` and combine `file://...` with `?raw` (or `?inline`) to retrieve the contents of arbitrary files on the server as a JavaScript string. The access control enforced in the HTTP request path was not applied to this WebSocket-based execution path. This could allow exposure of arbitrary files on the server, including those in the development machine, CI environment, or container.
Recommendations
Update Vite to version 6.4.2 or later, 7.3.2, or 8.0.5.