Vite Dev Server Security Flaw Exposes Denied Files to Network (GHSA-v2wj-q39q-566r)

A critical security vulnerability in the Vite development server allows attackers to bypass file access restrictions and retrieve sensitive data. The flaw, tracked as GHSA-v2wj-q39q-566r, specifically undermines the `server.fs.deny` configuration, a core security feature designed to block access to specified files. When the dev server is exposed to a network, files explicitly listed in the deny configuration can be returned to a user's browser, potentially leaking source code, configuration files, or environment variables.

The vulnerability is present in versions prior to Vite 7.3.2. The risk is not universal; it only impacts applications where developers have explicitly configured `server.fs.deny` and have also exposed the Vite dev server to a network, such as by using the `--host` flag. This creates a dangerous scenario where internal security controls are silently circumvented. The update to Vite 7.3.2 patches this flaw, closing the unintended data exposure vector.

This incident highlights a critical intersection of developer tooling and application security posture. Teams using Vite for local development or in networked environments must immediately assess their exposure. The patch is a mandatory upgrade for any project with a public-facing dev server, as the exploit could lead to unauthorized access to proprietary code or secrets before they reach production. The fix underscores the persistent need to treat build and development servers with the same security scrutiny as production infrastructure.