CVE-2026-39363

Name of the Vulnerable Software and Affected Versions Vite versions 6.0.0 through 6.4.1, 7.3.2, and 8.0.5

Description Vite, a frontend tooling framework for JavaScript, had a flaw where the server.fs check was not enforced for the fetchModule method exposed in the Vite dev server’s WebSocket. If a connection to the Vite dev server’s WebSocket could be established without an Origin header, an attacker could invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string. The access control enforced in the HTTP request path was not applied to this WebSocket-based execution path. This could allow exposure of arbitrary files on the server, including those in the development machine, CI environment, or container.

Recommendations Update Vite to version 6.4.2 or later, 7.3.2, or 8.0.5.