Vite Security Patch Abandoned: Critical File Access Vulnerability Remains Unpatched in Vite 7.3.x

A security update addressing a file access vulnerability in Vite has been marked as abandoned, leaving a critical exposure unpatched in the popular JavaScript build tool. The proposed fix, which would have upgraded Vite from version 7.3.1 to 7.3.2 to resolve GitHub Security Advisory GHSA-v2wj-q39q-566r, was never merged. The vulnerability allows files restricted by the `server.fs.deny` configuration to be returned to the browser under specific network conditions.

The flaw specifically impacts applications that explicitly expose the Vite development server to the network, rather than keeping it bound to localhost. Under these configurations, the `server.fs.deny` safeguard—which is designed to prevent serving sensitive files such as environment configuration, lock files, and source control metadata—can be bypassed. Vite 7.3.2, which contains the patch, has been available since the update was proposed, but the pull request to incorporate it into the affected repository remains in an abandoned state.

Developers using Vite in networked development environments face ongoing risk until the fix is applied. Security researchers warn that exposed dev servers could inadvertently serve configuration files containing secrets, credentials, or other sensitive data. The practical severity depends on whether the Vite dev server is accessible beyond localhost and whether sensitive files are present within the project structure. Organizations should audit their Vite configurations and consider manual upgrades to 7.3.2 or later as a precaution, particularly for projects with elevated exposure.