CVE-2026-39363
published 2026-04-07CVE-2026-39363: Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.91%
85.2th percentile
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 6.0.0 < 6.4.2 | 6.4.2 |
| vitejs | vite | 6.0.0 – 6.4.1 | — |
| vitejs | vite | >= 7.0.0 < 7.3.2 | 7.3.2 |
| vitejs | vite | 7.0.0 – 7.3.1 | — |
| vitejs | vite | >= 8.0.0 < 8.0.5 | 8.0.5 |
| vitejs | vite | 8.0.0 – 8.0.4 | — |
| vitejs | vite-plus | < 0.1.16 | 0.1.16 |
| voidzero | vite | <= 0.1.15 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes
81fe0081000000007b2274797065223a22637573746f6d222c226576656e74223a22766974653a696e766f6b65222c2264617461223a7b226964223a22766974652d696e766f6b653a73656e643a30222c226e616d65223a2266657463684d6f64756c65222c2264617461223a5b2266696c653a2f2f2f6574632f7061737377643f726177225d7d7d
- →Match WebSocket frames containing the pattern '{"type":"custom","event":"vite:invoke"' with a 'fetchModule' name and a 'file://' data argument as an indicator of active exploitation
- →Responses containing both 'root:' and 'export default' in the same WebSocket message body indicate successful arbitrary file read exploitation
- →Identify exposed Vite dev servers via FOFA/Shodan using the body string '/@vite/client' or title 'Vite App' as a pre-exploitation reconnaissance indicator
- →The ?raw and ?inline query parameters appended to file:// URLs are attack-specific indicators; monitor for these patterns in WebSocket message payloads directed at Vite dev server endpoints ↗
- ·The server.fs.allow and server.fs.deny access controls are NOT enforced on the WebSocket-based fetchModule execution path, meaning filesystem restrictions configured for HTTP requests do not protect against this attack vector ↗
- ·Affected Vite versions are 6.0.0 up to (not including) 6.4.2, all 7.x up to (not including) 7.3.2, and all 8.x up to (not including) 8.0.5; deployments on these versions with any network exposure are at risk ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Vite: Vite: Information disclosure via WebSocket connection bypasses access control
vendor_redhat·2026-04-07·CVSS 8.2
CVE-2026-39363 [HIGH] CWE-1220 Vite: Vite: Information disclosure via WebSocket connection bypasses access control
Vite: Vite: Information disclosure via WebSocket connection bypasses access control
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
A flaw was found in Vite, a frontend tooling framework. A remote attacker can exploit this vulnerabi
GHSA
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
ghsa·2026-04-06
CVE-2026-39363 [HIGH] CWE-200 Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
### Summary
[`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- WebSocket is not disabled by `server.ws: false`
Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.
### Details
If it is possible to connect to the Vite dev server’s WebSocket **without an `Origin` header**, an attacker can invoke `fetchModule` via the c
OSV
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
osv·2026-04-06
CVE-2026-39363 [HIGH] Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
### Summary
[`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- WebSocket is not disabled by `server.ws: false`
Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.
### Details
If it is possible to connect to the Vite dev server’s WebSocket **without an `Origin` header**, an attacker can invoke `fetchModule` via the c
No detection rules found.
Nuclei
Vite Dev Server - Arbitrary File Read
nuclei·CVSS 8.2
CVE-2026-39363 [HIGH] Vite Dev Server - Arbitrary File Read
Vite Dev Server - Arbitrary File Read
Vite dev server exposes the fetchModule method via its WebSocket HMR (Hot Module Replacement) endpoint using the vite-hmr sub-protocol. By connecting to the WebSocket endpoint and sending a crafted vite:invoke custom event that calls fetchModule with a file:// URL (e.g., file:///etc/passwd?raw), an attacker can bypass server.fs.deny restrictions and read arbitrary files from the server filesystem. The vulnerability exists because fetchModule does not enforce the same filesystem access controls as other Vite server endpoints.
Template:
id: CVE-2026-39363
info:
name: Vite Dev Server - Arbitrary File Read
author: theamanrawat
severity: high
description: |
Vite dev server exposes the fetchModule method via its WebSocket HMR (Hot Module Replacement) end
Bugzilla
CVE-2026-39363 Vite: Vite: Information disclosure via WebSocket connection bypasses access control
bugzilla·2026-04-07·CVSS 8.2
CVE-2026-39363 [HIGH] CVE-2026-39363 Vite: Vite: Information disclosure via WebSocket connection bypasses access control
CVE-2026-39363 Vite: Vite: Information disclosure via WebSocket connection bypasses access control
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.
Bugzilla
CVE-2026-39363 forgejo: Vite: Information disclosure via WebSocket connection bypasses access control [fedora-all]
bugzilla·2026-04-07·CVSS 8.2
CVE-2026-39363 [HIGH] CVE-2026-39363 forgejo: Vite: Information disclosure via WebSocket connection bypasses access control [fedora-all]
CVE-2026-39363 forgejo: Vite: Information disclosure via WebSocket connection bypasses access control [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39363 nodejs-aw-webui: Vite: Information disclosure via WebSocket connection bypasses access control [fedora-all]
bugzilla·2026-04-07·CVSS 8.2
CVE-2026-39363 [HIGH] CVE-2026-39363 nodejs-aw-webui: Vite: Information disclosure via WebSocket connection bypasses access control [fedora-all]
CVE-2026-39363 nodejs-aw-webui: Vite: Information disclosure via WebSocket connection bypasses access control [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39363 forgejo: Vite: Information disclosure via WebSocket connection bypasses access control [epel-all]
bugzilla·2026-04-07·CVSS 8.2
CVE-2026-39363 [HIGH] CVE-2026-39363 forgejo: Vite: Information disclosure via WebSocket connection bypasses access control [epel-all]
CVE-2026-39363 forgejo: Vite: Information disclosure via WebSocket connection bypasses access control [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Wiz
CVE-2026-39363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-39363 [MEDIUM] CVE-2026-39363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39363 :
JavaScript vulnerability analysis and mitigation
## Summary
server.fs
fetchModule
## Impact
Only apps that match the following conditions are affected:
--host
server.host
server.ws: false
## Details
Origin
fetchModule
vite:invoke
file://...
?raw
?inline
export default "..."
server.fs.allow
## PoC
pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173
curl -i 'http://localhost:5173/@fs/etc/passwd?raw'
403 Restricted
Origin
vite:invoke
fetchModule
file://...
?raw
Source : NVD
## 8.2
Score
Published April 6, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Explo
https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583https://access.redhat.com/errata/RHSA-2026:24761https://access.redhat.com/errata/RHSA-2026:24762https://access.redhat.com/errata/RHSA-2026:24866https://access.redhat.com/security/cve/CVE-2026-39363https://bugzilla.redhat.com/show_bug.cgi?id=2456179https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39363.json
2026-04-07
Published