Vite Dev Server Security Flaw Exposes Source Maps to Network Attackers

A critical security vulnerability in the Vite development server allows attackers to access sensitive source map files from outside a project's directory. The flaw, tracked as CVE-2026-39365, is triggered when a Vite dev server is explicitly exposed to the network using the `--host` flag or the `server.host` configuration option. Under these conditions, any file ending with `.map` can be served to a browser, potentially leaking proprietary code structure and intellectual property.

The vulnerability is present in versions prior to Vite 8.0.0. The security advisory from the Vite team details that the issue is not a default risk; it only impacts applications where the developer has intentionally made the dev server network-accessible. This specific configuration is common in certain development and testing workflows, particularly for cross-device previews or collaborative debugging sessions, which amplifies the exposure for affected teams.

The fix is included in Vite 8.0.0. The immediate implication is that any development team using a networked Vite dev server must upgrade their dependency to mitigate the risk of source code mapping data being exfiltrated. This vulnerability underscores the persistent security challenges in modern web development toolchains, where developer convenience features can inadvertently create attack surfaces if not properly secured. The prompt release of a patched major version signals the maintainers' classification of this as a high-priority issue requiring urgent attention from the ecosystem.