Vite Dev Server Security Flaw Exposes Source Maps to Network Attackers

A critical security vulnerability in the Vite development server allows attackers to access any file ending in `.map` from outside the project directory. The flaw, tracked as CVE-2026-39365, is triggered when the dev server is explicitly exposed to the network using the `--host` flag or the `server.host` configuration option. This creates a direct path for unauthorized access to potentially sensitive source map files, which can reveal underlying source code structure and logic.

The vulnerability is present in Vite versions prior to 8.0.5. The update to version 8.0.5 patches this security hole. The advisory from the Vite team indicates that only applications meeting the specific condition of a network-exposed dev server are impacted. This is a targeted but significant risk for developers using Vite in certain local or networked development environments where the server is configured to accept external connections.

The patch is now available via dependency management tools. Developers are urged to update their projects immediately if they use a vulnerable version and have their dev server configured for network access. This incident underscores the persistent security considerations in modern web development toolchains, where development servers can become unintended vectors for information disclosure if not properly secured and kept up-to-date.