Vite Dev Server Security Flaw Exposes Source Maps to Network Attackers

A critical security vulnerability in the Vite development server allows attackers to access any file ending in `.map` on the host machine, potentially exposing sensitive source code and internal project structure. The flaw, tracked as GHSA-4w7w-66w2-5vf9, is present in versions prior to Vite 8.0.5. This is not a theoretical risk; it enables the exfiltration of source map files from anywhere on the server's filesystem, not just within the project directory, when the dev server is network-exposed.

The vulnerability specifically impacts applications that have explicitly exposed their Vite development server to the network, typically by using the `--host` command-line flag or configuring the `server.host` option. Under these conditions, a remote attacker could craft requests to retrieve `.map` files, which are debugging artifacts that often contain the original, unminified source code. This exposure transforms a routine development tool into a significant data leak vector, compromising intellectual property and revealing application logic that attackers could exploit for further intrusions.

This patch, upgrading Vite to version 8.0.5, is a mandatory security update for all affected development and testing environments. Teams using Vite must immediately verify their server configuration and apply the update to close this filesystem traversal gap. The incident underscores the latent risks in developer tooling and the importance of treating dev servers, once network-accessible, as hardened perimeter assets.