CVE-2026-39363
Unauthorized File Read via WebSocket in Vite Dev Server
Publication date: 2026-04-07
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vitejs | vite | From 6.0.0 (inc) to 6.4.1 (inc) |
| vitejs | vite | From 7.0.0 (inc) to 7.3.1 (inc) |
| vitejs | vite | From 8.0.0 (inc) to 8.0.4 (inc) |
| voidzero | vite+ | to 0.1.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Vite development server's WebSocket interface in certain versions of the Vite and vite-plus npm packages. An attacker can connect to the Vite dev server's WebSocket without an Origin header and invoke a custom WebSocket event called "vite:invoke" to call the fetchModule method with a file URL (file://...) combined with query parameters like ?raw or ?inline. This causes the server to return the contents of arbitrary files on the server as JavaScript strings, bypassing the usual file system access control checks that are enforced on HTTP requests.
The vulnerability exists because the server.fs file system access control is not applied to fetchModule calls made via the WebSocket interface. This means that even files normally restricted by server.fs.allow can be accessed through this WebSocket-based execution path.
The vulnerability affects Vite versions from 6.0.0 up to before 6.4.2, 7.3.2, and 8.0.5, and vite-plus versions up to 0.1.15. It is fixed in Vite versions 6.4.2, 7.3.2, 8.0.5 and vite-plus 0.1.16.
How can this vulnerability impact me? :
This vulnerability can have a high impact on the confidentiality of your system because it allows remote attackers to read arbitrary files on the development server. Sensitive information such as configuration files, credentials, or other private data stored on the server could be exposed.
There is no impact on the integrity or availability of the system, as the vulnerability does not allow modification or deletion of files, nor does it cause denial of service.
The vulnerability requires that the Vite dev server be exposed to the network (for example, started with --host or configured with server.host) and that the WebSocket interface is enabled and accessible without an Origin header.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Vite development server is exposed to the network with WebSocket enabled and if it accepts connections without an Origin header. A practical approach is to attempt connecting to the Vite dev server's WebSocket interface and invoke the fetchModule method via the custom WebSocket event "vite:invoke" with a file URL (e.g., file:///etc/passwd?raw). If the server returns the contents of the file as a JavaScript module, the vulnerability is present.
Example commands to test this include starting the Vite dev server with network exposure (e.g., `vite --host 0.0.0.0 --port 5173`) and then using a WebSocket client to connect without an Origin header and send a "vite:invoke" event to fetch a sensitive file. If the file contents are returned, the vulnerability exists.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Vite package to a patched version where this vulnerability is fixed. Specifically, upgrade to vite versions 6.4.2, 7.3.2, or 8.0.5, or vite-plus version 0.1.16.
Additionally, avoid exposing the Vite dev server to untrusted networks by not using the `--host` option or configuring `server.host` to be accessible only locally. Disabling the WebSocket interface by setting `server.ws: false` can also mitigate the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to read arbitrary files on the Vite development server, potentially exposing sensitive information. Such unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.
Because the vulnerability results in a high confidentiality impact by exposing sensitive files, organizations using affected versions of Vite without proper mitigation may risk violating confidentiality requirements mandated by these regulations.