Vite Dev Server Security Flaw Exposes Denied Files on Windows via Backslash URL

A critical security vulnerability in the Vite development server allows attackers to bypass file access restrictions on Windows systems. The flaw, tracked as CVE-2025-62522, enables the retrieval of files explicitly denied by the `server.fs.deny` configuration if a malicious URL ends with a backslash (`\`). This bypass directly undermines a core security control designed to prevent unauthorized access to sensitive system files during local development.

The vulnerability is specific to the Vite dev server's file serving logic when running on Windows. It affects only applications that explicitly expose the Vite development server to the network, creating a potential entry point for local network attackers. The issue was addressed in Vite version 6.4.2; the preceding version 6.3.6 is confirmed to be vulnerable. The update was flagged as a security priority in the associated dependency pull request.

This patch highlights the persistent and platform-specific nature of security risks in modern web toolchains. While the impact is limited to a specific configuration scenario, it serves as a critical reminder for development teams to audit their dev server exposure and apply dependency updates promptly, especially those marked for security. The fix is now available via standard package managers, and teams using Vite are urged to upgrade immediately to close this local file system exposure vector.