Vite v6 Security Update: CVE-2024-45811 Exposes Arbitrary File Read Risk

A critical security vulnerability in the Vite build tool, tracked as CVE-2024-45811, exposes a path traversal flaw that can leak sensitive files. The core issue is that the `@fs` protocol, designed to restrict file access, can be bypassed by appending `?import&raw` to a request URL. This bypass allows an attacker to retrieve the contents of arbitrary files from the server, potentially exposing source code, configuration files, or environment secrets that should remain inaccessible.

The vulnerability is addressed in Vite version 6. The update, flagged as a security priority, represents a major version jump from 4.x to 6.x, indicating significant underlying changes to patch this security boundary failure. The advisory from the Vite team confirms the flaw allows the contents of files to be returned to the browser, circumventing the intended allow list. This is not a theoretical risk; it is a direct bypass of a core security control within the development server.

For any project using Vite, especially in development or preview modes, this vulnerability poses a direct data exposure threat. Teams must prioritize updating their dependency to Vite v6 or later to close this security gap. The presence of this CVE in a widely-used frontend toolchain underscores the persistent risk in build and dev server infrastructure, where a single misconfigured access control can become a significant data leak vector.