Vite Dev Server Vulnerability: Query Parameter Bypass Exposes Sensitive Files (.env, *.crt)

A critical security flaw in Vite's development server allows attackers to bypass file access restrictions and retrieve sensitive files like environment variables and certificates. The vulnerability, present in versions 7.1.0 through 7.3.1 and 8.0.4, enables unauthorized access to files explicitly blocked by the `server.fs.deny` configuration. By simply appending query parameters such as `?raw`, `?import&raw`, or `?import&url&inline` to a request, an attacker can force the server to return these protected files with a 200 OK response, turning a standard security control into a dangerous information disclosure channel.

The core of the issue lies in the Vite dev server's handling of these specific query strings, which incorrectly overrides the `fs.deny` rules designed to shield critical assets like `.env` files and `*.crt` certificates. This bypass is not a theoretical concern; it provides a direct path for extracting secrets, API keys, and cryptographic materials from a running development environment. The vulnerability has been patched in versions 7.3.2 and 8.0.5, with the fix explicitly addressing the improper query parameter processing.

This disclosure places immediate pressure on development teams using affected Vite versions to upgrade. The risk is particularly acute for projects where the dev server is exposed to untrusted networks or where local development environments contain production-like secrets. Failure to patch leaves application security postures severely compromised, as the primary line of defense for local files is rendered ineffective. The fix mandates upgrading from vulnerable versions like 7.2.7 to either 8.0.5 or 7.3.2 to close this security gap.