Vite 7.0.0 Patches Critical Arbitrary File Read Vulnerability in Dev Server WebSocket

A critical security vulnerability has been identified in Vite, a widely adopted JavaScript build tool and development server. The flaw, tracked as CVE-2026-39363 and documented in GitHub Security Advisory GHSA-p9ff-h696-f583, allows an attacker to read arbitrary files on the system through the Vite Dev Server WebSocket interface. The vulnerability affects Vite versions prior to 7.0.0 and has been addressed in the newly released Vite 7.0.0 update.

The arbitrary file read exposure stems from insufficient validation within the WebSocket handler of Vite's development server. This component is active by default during local development, meaning any project running a Vite dev server on an exposed network interface is potentially vulnerable. The severity of the issue is amplified by the fact that development environments often contain configuration files, environment variables with API keys and credentials, and source code that could be leveraged for further attacks. Projects transitioning from Vite 6.4.1 or earlier versions to 7.0.0 will receive the security patch.

Developers and organizations using Vite for frontend or full-stack development should update their dependency immediately. The Mend Renovate bot has already flagged this update with high confidence and age metrics, indicating a clear signal for prioritization. Teams should verify their dependency manifests and consider auditing any Vite-based projects currently deployed with exposed dev server ports. This vulnerability underscores the ongoing risk surface that development tooling introduces when security patches are delayed.