Vite Dev Server Security Flaw Exposes File System via WebSocket

A critical security vulnerability in Vite's development server has been disclosed, allowing unauthorized file system access. The flaw, tracked as GHSA-p9ff-h696-f583, bypasses the `server.fs` strict file access controls within the WebSocket-exposed `fetchModule` method. This creates a direct path for potential data exfiltration from the host machine during development.

The vulnerability specifically impacts applications that explicitly expose the Vite dev server to a network and have a custom `server.fs.deny` configuration. Under these conditions, an attacker could exploit the WebSocket connection to fetch files outside the allowed project directory, circumventing the intended security restrictions. The issue was present in versions prior to the patched releases.

The maintainers have released Vite versions 8.0.5 and 9.0.4 to address this security gap. This incident highlights the persistent risk in development tooling where internal APIs, like WebSocket handlers, can become unintended attack surfaces if not subjected to the same security checks as primary HTTP endpoints. Teams using Vite must prioritize this update to mitigate the risk of local file system compromise.