Description
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Published: 2026-04-07
Score: 8.2 High
EPSS: 2.3% Low
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

An attacker who can connect to the Vite dev server’s WebSocket without an Origin header can trigger the vite:invoke event to call fetchModule. By combining a file:// path with the ?raw or ?inline query, the attacker can read the contents of any file on the server as a JavaScript string. This allows disclosure of sensitive file data, such as configuration files or secrets, violating confidentiality. The vulnerability demonstrates weaknesses corresponding to CWE-1220, CWE-200, and CWE-306.

Affected Systems

Vite, including the vite-plus variant, is affected in all releases from 6.0.0 up to, but not including, 6.4.2, as well as the isolated releases 7.3.2 and 8.0.5. Users of these versions that run a Vite dev server exposed to network traffic are vulnerable. The fix is available in 6.4.2, 7.3.2, and 8.0.5 and later.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability. Exploitation requires network access to the dev server’s WebSocket and no authentication. Because the exploit path does not require special privileges or origin validation, any remote actor who can reach the WebSocket can read arbitrary files. The EPSS score is 2%, indicating a moderate likelihood of exploitation, and the vulnerability is not listed in CISA's KEV catalog, but the high CVSS reflects the potential impact and ease of exploitation.

Generated by OpenCVE AI on April 21, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vite to at least version 6.4.2, 7.3.2, or 8.0.5, or any newer release that includes the patch.
  • Restrict access to the dev server by binding it to localhost or configuring firewall rules to limit inbound WebSocket connections.
  • If an upgrade cannot be performed immediately, eliminate exposure of the dev server to untrusted networks and consider disabling WebSocket usage in development environments.

Generated by OpenCVE AI on April 21, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9ff-h696-f583 Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
History

Thu, 30 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Voidzero
Voidzero vite\+
CPEs cpe:2.3:a:vitejs:vite-plus:*:*:*:*:*:node.js:*:* cpe:2.3:a:voidzero:vite\+:*:*:*:*:*:node.js:*:*
Vendors & Products Voidzero
Voidzero vite\+

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vitejs:vite-plus:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Vitejs
Vitejs vite
Vitejs vite-plus
Vendors & Products Vitejs
Vitejs vite
Vitejs vite-plus

Wed, 08 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1220
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Important

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Title Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
Weaknesses CWE-200
CWE-306
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vitejs Vite Vite-plus
Voidzero Vite\+
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T17:52:58.420Z

Reserved: 2026-04-06T21:29:17.349Z

Link: CVE-2026-39363

cve-icon Vulnrichment

Updated: 2026-04-08T17:52:38.627Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:30.000

Modified: 2026-04-30T18:34:19.693

Link: CVE-2026-39363

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T19:10:44Z

Links: CVE-2026-39363 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses