CVE-2026-39363: Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
### Summary [`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - WebSocket is not disabled by `server.ws: false` Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed. ### Details If it is possible to connect to the Vite dev server’s WebSocket **without an `Origin` header**, an attacker can invoke `fetchModule` via the custom WebSocket event `vite:invoke` and combine `file://...` with `?raw` (or `?inline`) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., `export default "..."`). The access control enforced in the HTTP request path (such as `server.fs.allow`) is not applied to this WebSocket-based execution path. ### PoC 1. Start the dev server on the target Example (used during validation with this repository): ```bash pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173 ``` 2. Confirm that access is blocked via the HTTP path (example: arbitrary file) ```bash curl -i 'http://localhost:5173/@fs/etc/passwd?raw' ``` Result: `403 Restricted` (outside the allow list) <img width="3898" height="1014" alt="image" src="https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af" /> 3. Confirm that the same file can be retrieved via the WebSocket path By connecting to the HMR WebSocket without an `Origin` header and sending a `vite:invoke` request that calls `fetchModule` with a `file://...` URL and `?raw`, the file contents are returned as a JavaScript module. <img width="1049" height="296" alt="image" src="https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972" /> <img width="1382" height="955" alt="image" src="https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7" />
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-39363?
CVE-2026-39363 has been rated as a high severity vulnerability due to the potential for arbitrary file read access.
How do I fix CVE-2026-39363?
To fix CVE-2026-39363, update Vite to version 6.4.2, 7.3.2, or 8.0.5 depending on your current version.
What versions of Vite are affected by CVE-2026-39363?
CVE-2026-39363 affects Vite versions from 6.0.0 to 6.4.1, 7.0.0 to 7.3.1, and 8.0.0 to 8.0.4.
What is the main impact of CVE-2026-39363?
The main impact of CVE-2026-39363 is the potential exposure of sensitive files through the Vite Dev Server WebSocket.
Is CVE-2026-39363 related to specific applications?
Yes, CVE-2026-39363 specifically impacts apps that use Vite's dev server with enabled WebSocket support.