Vite v7.3.2 Security Patch Released for Critical File Exposure Vulnerability CVE-2026-39364

A critical security vulnerability in the Vite build tool has been patched, exposing sensitive server files to the browser. The flaw, tracked as CVE-2026-39364, allows the contents of files explicitly blocked by the `server.fs.deny` configuration to be returned to a user's browser, bypassing intended access controls. This represents a significant server-side data exposure risk for any project using Vite's development server with the deny list feature.

The vulnerability was addressed in Vite version 7.3.2, a minor patch released to supersede version 7.3.1. The update is being pushed via automated dependency management tools like RenovateBot, which flags the change as a security priority. The advisory from the Vite team confirms the issue's severity, though the exact mechanism and potential for remote exploitation remain detailed in the security advisory. Projects must update immediately to close this security gap.

This incident underscores the persistent risk in modern development toolchains where a configuration-based security feature can be circumvented. The prompt patch release by the Vite maintainers highlights the active threat, but the vulnerability's existence in a widely-used tool means countless development environments could have been exposed. Teams relying on `server.fs.deny` to protect local secrets, configuration files, or source code must verify their deployment of Vite 7.3.2 to mitigate the risk of unintended data leakage.