Vite Security Patch 6.4.2 Closes Critical File Read Vulnerability in Dev Server WebSocket

Vite has released version 6.4.2 to address CVE-2026-39363, a security vulnerability that allowed arbitrary file read through the Vite Dev Server WebSocket interface. The flaw, tracked as GHSA-p9ff-h696-f583, stems from the `server.fs` strict check—a security boundary meant to restrict filesystem access—failing to enforce restrictions on the `fetchModule` method exposed via WebSocket connections.

Developers using Vite 6.4.1 and earlier are urged to update immediately. The vulnerability creates a risk where attackers with access to a development environment's WebSocket endpoint could potentially read arbitrary files accessible to the Vite process. This poses particular concern for projects handling sensitive configuration files, environment variables, or source code during local development. The patch enforces the intended `server.fs` restrictions on the exposed `fetchModule` method, closing the bypass.

Projects relying on Vite for frontend build tooling and development servers should verify their dependency versions and apply the security update. Teams using automated dependency management tools like Renovate should confirm their systems have pulled the patched release. The NVD database entry for CVE-2026-39363 provides additional technical details for security teams conducting audits.