DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-P9FF-H696-F583: GHSA-P9FF-H696-F583: Arbitrary File Read via Vite Dev Server WebSocket RPC

#security #cve #cybersecurity #ghsa

GHSA-P9FF-H696-F583: Arbitrary File Read via Vite Dev Server WebSocket RPC

Vulnerability ID: GHSA-P9FF-H696-F583
CVSS Score: 8.2
Published: 2026-04-06

The Vite development server exposes a WebSocket Remote Procedure Call (RPC) interface for Hot Module Replacement (HMR). A missing filesystem authorization check in the fetchModule handler allows unauthenticated network attackers to read arbitrary files from the host system when the server is exposed via the --host parameter.

TL;DR

Vite prior to versions 6.4.2, 7.3.2, and 8.0.5 lacks filesystem boundary enforcement on its WebSocket RPC interface. Unauthenticated attackers can bypass server.fs.allow restrictions to read sensitive local files by invoking fetchModule via the HMR WebSocket.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200, CWE-284
  • Attack Vector: Network (AV:N)
  • CVSS v4.0 Score: 8.2 (High)
  • Authentication: None Required (PR:N)
  • Impact: High Confidentiality Loss (Arbitrary File Read)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • Vite Development Server
  • Vite Hot Module Replacement (HMR)
  • Vite WebSocket RPC Channel
  • vite: >= 6.0.0, < 6.4.2 (Fixed in: 6.4.2)
  • vite: >= 7.0.0, < 7.3.2 (Fixed in: 7.3.2)
  • vite: >= 8.0.0, < 8.0.5 (Fixed in: 8.0.5)

Code Analysis

Commit: f02d9fd

Fix arbitrary file read via WebSocket RPC by enforcing transform filesystem boundaries natively in transformRequest and disabling fetchModule on the default client dev environment.

Exploit Details

  • Research Context PoC: JSON payload demonstrating the invocation of fetchModule targeting /etc/passwd utilizing the ?raw parameter.

Mitigation Strategies

  • Upgrade to patched Vite versions (6.4.2, 7.3.2, 8.0.5)
  • Remove the --host flag to disable network exposure
  • Explicitly bind development server to localhost via server.host: '127.0.0.1'
  • Verify server.fs.strict is enabled and review server.fs.allow lists

Remediation Steps:

  1. Identify all projects within the organization utilizing the Vite framework.
  2. Update the package.json dependencies to mandate vite versions >= 6.4.2, >= 7.3.2, or >= 8.0.5.
  3. Execute npm install, yarn install, or pnpm install to apply the updated versions.
  4. Audit npm scripts and CI/CD configurations to remove unnecessary usage of the --host flag.

References

Read the full report for GHSA-P9FF-H696-F583 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)