Vite’s development server is vulnerable to a configuration bypass that allows unauthorized reading of files protected by the server.fs.deny setting. By appending query parameters such as ?raw, ?import&raw or ?import&url&inline to an HTTP request, a client receives an HTTP 200 response containing the contents of files that should otherwise be blocked, including environment files and certificate files. This vulnerability maps to multiple improper access control weaknesses, specifically CWE‑180 and CWE‑284, and represents an undocumented security risk (CWE‑472).

The flaw affects the open-source Vite framework and its vite‑plus variant. It is present in all releases from 7.1.0 up to, but not including, 7.3.2 and from 8.0.0 up to, but not including, 8.0.5. Upgrading to version 7.3.2 or later, or 8.0.5 or later, removes the bypass.

The CVSS score of 8.2 indicates a high severity vulnerability. EPSS score is 5%, indicating a moderate probability of exploitation, and the flaw is not listed in CISA’s KEV catalog. Based on the description, the attack vector is inferred to be remote; an adversary must be able to send HTTP requests to a Vite dev server exposed over a network. Once the server is reachable, the exploit is straightforward and does not require additional privileges beyond the ability to construct URLs with the relevant query parameters. Successful exploitation results in the disclosure of sensitive configuration information and private keys, jeopardizing confidentiality of the development environment and potentially the production environment if the same files are used. The impact is limited to the host running the dev server, but the compromised data could be leveraged for further attacks.