Vite v6 Security Update: CVE-2024-45811 Exposes Arbitrary File Read Risk

A critical security vulnerability in the Vite build tool, tracked as CVE-2024-45811, exposes a path traversal flaw that can leak sensitive files. The core issue lies in the `@fs` middleware, which is designed to restrict access to files outside Vite's serving allow list. However, an attacker can bypass this protection by appending `?import&raw` to a crafted URL, forcing the server to return the contents of arbitrary files from the host system. This flaw directly undermines the security boundary between the development server and the host filesystem.

The vulnerability is present in versions prior to Vite 6.0.0. The security advisory from the Vite team confirms that the contents of arbitrary files can be returned to the browser, posing a significant data exposure risk for development environments. The update to Vite version 6.0.0 or later is the prescribed mitigation. This is not a minor patch; it is a major version jump that addresses a fundamental security control failure in a core feature used by millions of developers.

The exposure is particularly acute for projects using Vite's development server in sensitive contexts, where configuration files, environment variables, or source code could be exfiltrated. While the flaw resides in the dev server, its exploitation requires network access to the running instance. The prompt highlights the ongoing pressure on open-source maintainers to rapidly patch foundational tooling and the cascading security debt faced by downstream projects that must now prioritize this mandatory upgrade.