Ddos 
Vite has become the “speed demon” of modern frontend development, prized for its lightning-fast Hot Module Replacement (HMR) and native ES module serving. However, two recently disclosed vulnerabilitiesβCVE-2026-39364 and CVE-2026-39363βremind developers that performance often comes with a side of security risk.
If you are running an unpatched version of Vite and exposing your dev server to the network, your sensitive files (like .env or system passwords) could be just one query away from an attacker.
Vite uses a configuration setting called server.fs.deny to prevent the browser from accessing sensitive files like .env or SSL certificates. CVE-2026-39364 discovered that this “deny list” can be bypassed with a simple trick: query parameters.
Normally, Vite blocks a request to /src/.env with a 403 Forbidden. However, if an attacker appends a query parameter such as ?raw, ?import&raw, or ?import&url&inline, the server mistakenly treats the file as a valid asset and serves the content with an HTTP 200 response. Highly sensitive configuration files can be leaked to anyone on the network.
While the first flaw exploits the standard HTTP path, CVE-2026-39363 goes deeper by targeting the WebSocket used for Viteβs HMR.
The Vite dev server exposes a method called fetchModule through its WebSocket. Researchers found that the access controls (the “allow list”) enforced on HTTP requests are not applied to this WebSocket execution path. By connecting to the WebSocket without an Origin header, an attacker can invoke a custom event called vite:invoke.
By combining this with a file:// protocol and the ?raw query, an attacker can read arbitrary files from the developer’s machineβsuch as /etc/passwdβand receive the data back as a JavaScript string.
Full arbitrary file read on the development machine, CI environment, or container.
You are vulnerable if you match these conditions:
- Network Exposure: You use the –host or server.host config to expose Vite to your network.
- WebSockets Enabled: For the second exploit, your WebSocket must be active (which is the default).
| Product | Affected Versions |
| Vite 8.x |
|
| Vite 7.x |
|
| Vite 6.x |
|
| Vite-Plus |
|
Security updates have been released to close these loopholes. To stay safe, junior admins and CISOs alike should ensure their teams upgrade to the following versions immediately:
- Vite 8.x: Upgrade to 8.0.5
- Vite 7.x: Upgrade to 7.3.2
- Vite 6.x: Upgrade to 6.4.2
- Vite-Plus: Upgrade to 0.1.16
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
