Vite Dev Server Exposed: Multiple High-Severity Vulnerabilities Allow Arbitrary File Read

The Vite development server, a core tool for modern web frameworks, is exposed by multiple high-severity security flaws that could allow attackers to read arbitrary files from the host filesystem. These vulnerabilities, tracked under advisories GHSA-v2wj-q39q-566r and GHSA-p9ff-h696-f583, bypass critical security controls and pose a direct risk to developer machines and sensitive project data.

The first critical flaw (GHSA-v2wj-q39q-566r) allows crafted query parameters to bypass the `server.fs.deny` file-access restrictions. This means an attacker could read files outside the explicitly allowed project paths during development. The second, equally severe vulnerability (GHSA-p9ff-h696-f583) exploits the dev server's WebSocket connection, enabling an attacker with access to this channel to read any file from the host filesystem, potentially exposing sensitive configuration files and source code.

These vulnerabilities affect Vite versions 8.0.0 through 8.0.4. The exposure is particularly acute for developers running the dev server in environments where the WebSocket endpoint or the server itself might be accessible to an external or malicious actor. The flaws undermine the fundamental security model of the development tool, turning a local development aid into a potential vector for data exfiltration. Immediate patching is required to mitigate the risk of unauthorized file system access.