Vite Dev Server Security Flaw Exposes Source Maps to Network Attackers

A critical security vulnerability in the Vite development server allows attackers to access sensitive source map files from outside a project's directory. The flaw, tracked as GHSA-4w7w-66w2-5vf9, specifically affects any file ending with `.map`, potentially exposing unminified source code and internal project structure. This creates a direct path for reconnaissance and could significantly aid in crafting further, targeted attacks against the application.

The vulnerability is triggered under a specific but common configuration: when a developer explicitly exposes the Vite dev server to the network. This is typically done using the `--host` command-line flag or by setting the `server.host` configuration option to a non-localhost address. Under these conditions, the server incorrectly serves `.map` files regardless of their location, bypassing intended access controls. The maintainers have addressed the issue in Vite version 8.0.0, marking the previous major version, 7.x, as vulnerable.

This flaw places countless development and staging environments at immediate risk. Developers and organizations using Vite must urgently update their dependencies to version 8.0.0 or later. The advisory underscores the persistent danger of inadvertently exposing development servers, which are often configured with fewer security safeguards than production systems. Failure to patch leaves internal application logic open to inspection, raising the risk of intellectual property theft and providing a blueprint for more sophisticated security breaches.