Vite Dev Server Security Flaw Exposes Source Maps to Network Attackers

A critical security vulnerability in the Vite development server allows attackers to access source map files from outside a project's directory. The flaw, tracked as CVE-2026-39365, is triggered when any file ending in `.map` is requested, potentially exposing sensitive debugging information and source code structure to unauthorized parties on the network. This creates a direct path for reconnaissance and targeted attacks against development environments.

The vulnerability specifically impacts applications that have explicitly exposed their Vite dev server to the network. This exposure occurs when developers use the `--host` command-line flag or configure the `server.host` option in their Vite configuration. Under these conditions, the server fails to properly restrict access to `.map` files, treating them as accessible assets regardless of their location relative to the project root. The issue was addressed in Vite version 8.0.0, prompting automated dependency managers like RenovateBot to generate pull requests urging projects to upgrade from versions like 7.3.1.

The immediate implication is a significant information disclosure risk for development teams using Vite in a networked mode, a common practice for cross-device testing or collaboration. While the flaw resides in the dev server and not the production build, it exposes a critical attack surface during the development phase. Organizations must audit their Vite configurations, disable network exposure if not strictly necessary, and prioritize applying the patch by upgrading to Vite 8.0.0 or later to close this security gap.