cbcvebase.
CVE-2026-39363
published 2026-04-07

CVE-2026-39363: Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.91%
85.2th percentile
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Affected

11 ranges
VendorProductVersion rangeFixed in
vitejsvite
vitejsvite
vitejsvite
vitejsvite>= 6.0.0 < 6.4.26.4.2
vitejsvite6.0.0 – 6.4.1
vitejsvite>= 7.0.0 < 7.3.27.3.2
vitejsvite7.0.0 – 7.3.1
vitejsvite>= 8.0.0 < 8.0.58.0.5
vitejsvite8.0.0 – 8.0.4
vitejsvite-plus< 0.1.160.1.16
voidzerovite<= 0.1.15

Detection & IOCsextracted from sources · hover to see the quote

othervite:invoke
urlfile:///etc/passwd?raw
othervite-hmr
other/@vite/client
bytes
81fe0081000000007b2274797065223a22637573746f6d222c226576656e74223a22766974653a696e766f6b65222c2264617461223a7b226964223a22766974652d696e766f6b653a73656e643a30222c226e616d65223a2266657463684d6f64756c65222c2264617461223a5b2266696c653a2f2f2f6574632f7061737377643f726177225d7d7d
  • Match WebSocket frames containing the pattern '{"type":"custom","event":"vite:invoke"' with a 'fetchModule' name and a 'file://' data argument as an indicator of active exploitation
  • Responses containing both 'root:' and 'export default' in the same WebSocket message body indicate successful arbitrary file read exploitation
  • Identify exposed Vite dev servers via FOFA/Shodan using the body string '/@vite/client' or title 'Vite App' as a pre-exploitation reconnaissance indicator
  • The ?raw and ?inline query parameters appended to file:// URLs are attack-specific indicators; monitor for these patterns in WebSocket message payloads directed at Vite dev server endpoints
  • ·The server.fs.allow and server.fs.deny access controls are NOT enforced on the WebSocket-based fetchModule execution path, meaning filesystem restrictions configured for HTTP requests do not protect against this attack vector
  • ·Affected Vite versions are 6.0.0 up to (not including) 6.4.2, all 7.x up to (not including) 7.3.2, and all 8.x up to (not including) 8.0.5; deployments on these versions with any network exposure are at risk

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.