CVE-2026-39363
EUVD-2026-1987107.04.2026, 20:16
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| vitejs | vite | 6.0.0 ≤ 𝑥 ≤ 6.4.1 |
| vitejs | vite | 7.0.0 ≤ 𝑥 ≤ 7.3.1 |
| vitejs | vite | 8.0.0 ≤ 𝑥 ≤ 8.0.4 |
| voidzero | vite\+ | 𝑥 ≤ 0.1.15 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-1220 - Insufficient Granularity of Access ControlThe product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
References