CVE-2026-39363: Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server’s WebSocket.
References
- github.com/advisories/GHSA-p9ff-h696-f583
- github.com/vitejs/vite
- github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0
- github.com/vitejs/vite/pull/22159
- github.com/vitejs/vite/releases/tag/v6.4.2
- github.com/vitejs/vite/releases/tag/v7.3.2
- github.com/vitejs/vite/releases/tag/v8.0.5
- github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583
- nvd.nist.gov/vuln/detail/CVE-2026-39363
Code Behaviors & Features
Detect and mitigate CVE-2026-39363 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →