CVE-2026-39363 - Vulnerability Details

- Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Description

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Published: 2026-04-07

Score: 8.2 High

EPSS: 8.7% Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker who can connect to the Vite dev server’s WebSocket without an Origin header can trigger a custom vite:invoke event that calls fetchModule. By providing a file:// path appended with ?raw or ?inline, the attacker can obtain the contents of any file on the server encoded as a JavaScript string. This enables the disclosure of sensitive configuration files, secrets, or other confidential data, representing a clear breach of confidentiality and demonstrating weaknesses associated with CWE‑1220, CWE‑200, and CWE‑306.

Affected Systems

The Vite framework, including the vite-plus variant, is affected in all releases older than 6.4.2, 7.3.2, and 8.0.5. This includes version ranges such as 6.0.0‑6.4.1, 7.0.0‑7.3.1, and 8.0.0‑8.0.4. Users running a Vite dev server that is exposed to network traffic are at risk until they upgrade to the patched releases.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. Exploitation requires only the ability to reach the dev server’s WebSocket and does not require authentication or elevated privileges, as the server’s HTTP access controls are not applied to the WebSocket path. The EPSS score of 9% shows a moderate likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, but the high CVSS and the ease of remote exploitation make it a significant risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vitejs

vite

affected

Version	Status	Constraints
`>= 8.0.0, < 8.0.5`	affected	—
`>= 7.0.0, < 7.3.2`	affected	—
`>= 6.0.0, < 6.4.2`	affected	—

vitejs

vite-plus

affected

Version	Status	Constraints
`< 0.1.16`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:vitejs:vite::::::node.js::*
	cpe:2.3:a:voidzero:vite\+::::::node.js::*

No data.

Vendor Product Confidence Versions

Vitejs

Vite

100%

Version	Status	Scheme	Platform
`[8.0.0,8.0.5)`	affected	semver	—
`[7.0.0,7.3.2)`	affected	semver	—
`[6.0.0,6.4.2)`	affected	semver	—

Vitejs

Vite-plus

100%

Version	Status	Scheme	Platform
`[0,0.1.16)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Vite 6.4.2, 7.3.2, 8.0.5 or later to remove the flaw.
Restrict the dev server’s WebSocket endpoint to trusted hosts or network segments using a firewall or reverse‑proxy rule.
Bind the dev server to localhost or place it behind authentication so that remote actors cannot access it.

Generated by OpenCVE AI on May 19, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-p9ff-h696-f583	Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.08748.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583
https://nvd.nist.gov/vuln/detail/CVE-2026-39363
https://www.cve.org/CVERecord?id=CVE-2026-39363

History

Thu, 30 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Voidzero Voidzero vite\+
CPEs	cpe:2.3:a:vitejs:vite-plus::::::node.js::*	cpe:2.3:a:voidzero:vite\+::::::node.js::*
Vendors & Products		Voidzero Voidzero vite\+

Wed, 15 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:vitejs:vite-plus::::::node.js::* cpe:2.3:a:vitejs:vite::::::node.js::*

Fri, 10 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vitejs Vitejs vite Vitejs vite-plus
Vendors & Products		Vitejs Vitejs vite Vitejs vite-plus

Wed, 08 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1220
References		https://nvd.nist.gov/vuln/detail/CVE-2026-39363 https://www.cve.org/CVERecord?id=CVE-2026-39363
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` threat_severity `Important`

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Title		Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
Weaknesses		CWE-200 CWE-306
References		https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Vitejs Vite Vite-plus

Voidzero Vite\+

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T19:10:44.916Z

Updated: 2026-04-08T17:52:58.420Z

Reserved: 2026-04-06T21:29:17.349Z

Link: CVE-2026-39363

Vulnrichment

Updated: 2026-04-08T17:52:38.627Z

NVD

Status : Analyzed

Published: 2026-04-07T20:16:30.000

Modified: 2026-04-30T18:34:19.693

Link: CVE-2026-39363

Redhat

Severity : Important

Publid Date: 2026-04-07T19:10:44Z

Links: CVE-2026-39363 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-19T14:45:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object