CVE-2026-39363
Received Received - Intake
Unauthorized File Read via WebSocket in Vite Dev Server

Publication date: 2026-04-07

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39363
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vitejs vite From 6.0.0 (inc) to 6.4.1 (inc)
vitejs vite From 7.0.0 (inc) to 7.3.1 (inc)
vitejs vite From 8.0.0 (inc) to 8.0.4 (inc)
voidzero vite+ to 0.1.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Vite development server's WebSocket interface in certain versions of the Vite and vite-plus npm packages. An attacker can connect to the Vite dev server's WebSocket without an Origin header and invoke a custom WebSocket event called "vite:invoke" to call the fetchModule method with a file URL (file://...) combined with query parameters like ?raw or ?inline. This causes the server to return the contents of arbitrary files on the server as JavaScript strings, bypassing the usual file system access control checks that are enforced on HTTP requests.

The vulnerability exists because the server.fs file system access control is not applied to fetchModule calls made via the WebSocket interface. This means that even files normally restricted by server.fs.allow can be accessed through this WebSocket-based execution path.

The vulnerability affects Vite versions from 6.0.0 up to before 6.4.2, 7.3.2, and 8.0.5, and vite-plus versions up to 0.1.15. It is fixed in Vite versions 6.4.2, 7.3.2, 8.0.5 and vite-plus 0.1.16.

Impact Analysis

This vulnerability can have a high impact on the confidentiality of your system because it allows remote attackers to read arbitrary files on the development server. Sensitive information such as configuration files, credentials, or other private data stored on the server could be exposed.

There is no impact on the integrity or availability of the system, as the vulnerability does not allow modification or deletion of files, nor does it cause denial of service.

The vulnerability requires that the Vite dev server be exposed to the network (for example, started with --host or configured with server.host) and that the WebSocket interface is enabled and accessible without an Origin header.

Detection Guidance

This vulnerability can be detected by checking if the Vite development server is exposed to the network with WebSocket enabled and if it accepts connections without an Origin header. A practical approach is to attempt connecting to the Vite dev server's WebSocket interface and invoke the fetchModule method via the custom WebSocket event "vite:invoke" with a file URL (e.g., file:///etc/passwd?raw). If the server returns the contents of the file as a JavaScript module, the vulnerability is present.

Example commands to test this include starting the Vite dev server with network exposure (e.g., `vite --host 0.0.0.0 --port 5173`) and then using a WebSocket client to connect without an Origin header and send a "vite:invoke" event to fetch a sensitive file. If the file contents are returned, the vulnerability exists.

Mitigation Strategies

The immediate mitigation step is to upgrade the Vite package to a patched version where this vulnerability is fixed. Specifically, upgrade to vite versions 6.4.2, 7.3.2, or 8.0.5, or vite-plus version 0.1.16.

Additionally, avoid exposing the Vite dev server to untrusted networks by not using the `--host` option or configuring `server.host` to be accessible only locally. Disabling the WebSocket interface by setting `server.ws: false` can also mitigate the risk.

Compliance Impact

This vulnerability allows an attacker to read arbitrary files on the Vite development server, potentially exposing sensitive information. Such unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Because the vulnerability results in a high confidentiality impact by exposing sensitive files, organizations using affected versions of Vite without proper mitigation may risk violating confidentiality requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39363. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart