Vite v7.3.2 Patches Critical File Exposure Vulnerability (CVE-2026-39364)

A critical security vulnerability in the Vite development server has been patched, exposing sensitive files to remote browsers. The flaw, tracked as CVE-2026-39364, allows the contents of files explicitly blocked by the `server.fs.deny` configuration to be returned to a client. This bypass of intended access controls creates a direct path for information disclosure in vulnerable setups.

The vulnerability specifically impacts applications that have explicitly exposed their Vite development server to the network. This exposure occurs when developers use the `--host` command-line flag or configure the `server.host` option, making the local dev server accessible over the network. Under these conditions, the security mechanism designed to deny file access fails, leaking protected file contents.

The patch, released in Vite version 7.3.2, addresses this server-side security failure. The update is classified as a security patch, prompting an urgent dependency review for all projects using Vite in a networked development environment. Teams must upgrade from version 7.3.1 to mitigate the risk of unintended data exposure from their development servers.