CVE-2026-39363
Modified Modified - Updated After Analysis

Unauthorized File Read via WebSocket in Vite Dev Server

Vulnerability report for CVE-2026-39363, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-07

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-07
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
vitejs vite From 6.0.0 (inc) to 6.4.1 (inc)
vitejs vite From 7.0.0 (inc) to 7.3.1 (inc)
vitejs vite From 8.0.0 (inc) to 8.0.4 (inc)
voidzero vite+ to 0.1.15 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1220 The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Vite development server's WebSocket interface in certain versions of the Vite and vite-plus npm packages. An attacker can connect to the Vite dev server's WebSocket without an Origin header and invoke a custom WebSocket event called "vite:invoke" to call the fetchModule method with a file URL (file://...) combined with query parameters like ?raw or ?inline. This causes the server to return the contents of arbitrary files on the server as JavaScript strings, bypassing the usual file system access control checks that are enforced on HTTP requests.

The vulnerability exists because the server.fs file system access control is not applied to fetchModule calls made via the WebSocket interface. This means that even files normally restricted by server.fs.allow can be accessed through this WebSocket-based execution path.

The vulnerability affects Vite versions from 6.0.0 up to before 6.4.2, 7.3.2, and 8.0.5, and vite-plus versions up to 0.1.15. It is fixed in Vite versions 6.4.2, 7.3.2, 8.0.5 and vite-plus 0.1.16.

Impact Analysis

This vulnerability can have a high impact on the confidentiality of your system because it allows remote attackers to read arbitrary files on the development server. Sensitive information such as configuration files, credentials, or other private data stored on the server could be exposed.

There is no impact on the integrity or availability of the system, as the vulnerability does not allow modification or deletion of files, nor does it cause denial of service.

The vulnerability requires that the Vite dev server be exposed to the network (for example, started with --host or configured with server.host) and that the WebSocket interface is enabled and accessible without an Origin header.

Detection Guidance

This vulnerability can be detected by checking if the Vite development server is exposed to the network with WebSocket enabled and if it accepts connections without an Origin header. A practical approach is to attempt connecting to the Vite dev server's WebSocket interface and invoke the fetchModule method via the custom WebSocket event "vite:invoke" with a file URL (e.g., file:///etc/passwd?raw). If the server returns the contents of the file as a JavaScript module, the vulnerability is present.

Example commands to test this include starting the Vite dev server with network exposure (e.g., `vite --host 0.0.0.0 --port 5173`) and then using a WebSocket client to connect without an Origin header and send a "vite:invoke" event to fetch a sensitive file. If the file contents are returned, the vulnerability exists.

Mitigation Strategies

The immediate mitigation step is to upgrade the Vite package to a patched version where this vulnerability is fixed. Specifically, upgrade to vite versions 6.4.2, 7.3.2, or 8.0.5, or vite-plus version 0.1.16.

Additionally, avoid exposing the Vite dev server to untrusted networks by not using the `--host` option or configuring `server.host` to be accessible only locally. Disabling the WebSocket interface by setting `server.ws: false` can also mitigate the risk.

Compliance Impact

This vulnerability allows an attacker to read arbitrary files on the Vite development server, potentially exposing sensitive information. Such unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Because the vulnerability results in a high confidentiality impact by exposing sensitive files, organizations using affected versions of Vite without proper mitigation may risk violating confidentiality requirements mandated by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39363. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart