CVE-2026-39363

Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Assigner: GitHub_M
Reserved: 06.04.2026 Published: 07.04.2026 Updated: 07.04.2026

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.2

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	vitejs
Product	vite
Versions	Version >= 8.0.0, < 8.0.5 is affected Version >= 7.0.0, < 7.3.2 is affected Version >= 6.0.0, < 6.4.2 is affected

Vendor

vitejs

Product

vite

Versions

Version >= 8.0.0, < 8.0.5 is affected
Version >= 7.0.0, < 7.3.2 is affected
Version >= 6.0.0, < 6.4.2 is affected

Vendor	vitejs
Product	vite-plus
Versions	Version < 0.1.16 is affected

Vendor

vitejs

Product

vite-plus

Versions

Version < 0.1.16 is affected

References

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-306: Missing Authentication for Critical Function CWE

CVE-2026-39363 PUBLISHED

Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Metrics

Product Status

References

Problem Types