HIGHCVE-2026-39363Published 2026-04-07Modified 2026-04-08CNA GitHub_M

CVE-2026-39363: Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 2

Affected packages

vitejs / vite
>= 8.0.0, < 8.0.5 · >= 7.0.0, < 7.3.2 · >= 6.0.0, < 6.4.2
vitejs / vite-plus
< 0.1.16

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583

Metrics