Vite Dev Server Security Flaw Exposes Arbitrary .map Files to Network

A critical security vulnerability in the Vite development server allows arbitrary files ending in `.map` to be served to a browser, even if they reside outside the project's root directory. The flaw, tracked as CVE-2026-39365, poses a direct risk of source code and internal file exposure for developers who have explicitly configured their Vite dev server to be accessible over a network. This is not a default configuration, but a common practice in certain development and testing workflows, which significantly raises the attack surface.

The vulnerability is present in versions of Vite prior to the major update to version 8. The GitHub security advisory details that the issue stems from improper path validation when handling requests for `.map` files. This could allow an attacker to traverse directories and retrieve sensitive source map files, potentially revealing proprietary code structures, API endpoints, or other internal logic that developers intended to keep private.

The primary mitigation is an immediate upgrade to Vite 8.0.0 or later, where the vulnerability has been patched. The advisory underscores that only applications meeting the specific condition of a network-exposed dev server are affected. However, for teams relying on remote development setups, shared preview environments, or local network testing, this flaw represents a tangible and urgent security gap that requires prompt action to prevent potential intellectual property leaks or reconnaissance by malicious actors.