Vite versions 6.0.0 to before 6.4.2, 7.0.0 to before 7.3.2, and 8.0.0 to before 8.0.5 contain a vulnerability where an attacker can connect to the dev server's WebSocket without an Origin header and use the vite:invoke event to call fetchModule. This allows combining file:// URLs with ?raw or ?inline query parameters to retrieve arbitrary file contents from the server as JavaScript strings. The vulnerability arises because access control mechanisms applied to HTTP requests (e.g., server.fs.allow) do not apply to this WebSocket-based execution path. The issue is resolved in versions 6.4.2, 7.3.2, and 8.0.5.

An attacker can expose sensitive information by reading arbitrary files on the server hosting the Vite development server. This could lead to disclosure of source code, configuration files, or other sensitive data accessible to the server process. The vulnerability does not require privileges or user interaction and can be exploited remotely over the network. No known active exploitation has been reported.

This vulnerability is fixed in Vite versions 6.4.2, 7.3.2, and 8.0.5. Users should upgrade to one of these versions or later to remediate the issue. Patch status is confirmed by the version fixes noted in the vulnerability description. No additional mitigations are indicated by the vendor advisory.