Vite Dev Server Vulnerability: Path Traversal in .map Requests Exposes Files Outside Project Root

A path traversal vulnerability in Vite's development server has been disclosed, allowing unauthorized access to source map files located outside the configured project root. The flaw, present in versions from 6.0.0 up to but not including 6.4.2, 7.3.2, and 8.0.5, resides in the server's handling of requests for `.map` files. Specifically, the server resolves file paths and calls `readFile` without properly sanitizing `../` segments in the incoming URL.

This weakness effectively bypasses the `server.fs.strict` allow list, a core security feature designed to restrict file system access. An attacker could exploit this by crafting a request for a `.map` file using directory traversal sequences. The server would then attempt to read and serve the file, provided it can be parsed as valid JSON, potentially leaking sensitive information from directories not intended to be accessible via the dev server.

The vulnerability has been patched in Vite versions 6.4.2, 7.3.2, and 8.0.5. Developers are urged to upgrade immediately to a fixed version. This incident highlights the critical need to validate all user-supplied path inputs, even for auxiliary files like source maps, within development tooling to prevent unintended information disclosure.