Vite Arbitrary File Read Vulnerability via WebSocket
Vite versions 6.0.0 to 8.0.4 are vulnerable to arbitrary file read, allowing attackers to bypass access controls and retrieve the contents of arbitrary files on the server via the WebSocket path when the dev server is exposed to the network.
Vite, a popular build tool, is susceptible to an arbitrary file read vulnerability affecting versions 6.0.0 through 8.0.4. This vulnerability arises when the Vite development server is exposed to the network using the --host command-line argument or the server.host configuration option, and the WebSocket is not disabled (server.ws: false). An attacker can exploit this by sending a vite:invoke request via the WebSocket to the fetchModule method, bypassing the server.fs access controls enforced on HTTP requests. This allows an unauthenticated attacker to retrieve the content of any file on the server, including sensitive configuration files and source code, which could lead to information disclosure and further exploitation. The vulnerability was reported on April 6th, 2026.
Attack Chain
- The attacker identifies a vulnerable Vite development server exposed to the network (e.g., via Shodan or similar reconnaissance).
- The attacker connects to the Vite dev server's WebSocket without an
Originheader. - The attacker sends a crafted
vite:invokeWebSocket message to call thefetchModulemethod. - The
vite:invokemessage includes afile://URL pointing to the target file (e.g.,/etc/passwd) along with the?rawquery parameter. - The vulnerable Vite server processes the
fetchModulerequest through the WebSocket connection, bypassing the intended HTTP access controls. - The server reads the contents of the specified file.
- The server returns the file contents as a JavaScript string within a WebSocket response.
- The attacker receives the file content and can use it to gather sensitive information.
Impact
Successful exploitation allows an attacker to read arbitrary files on the server where the Vite development server is running. This includes development machines, CI environments, and containers. The vulnerability can lead to the disclosure of sensitive information, such as application source code, configuration files containing credentials, and internal documentation. This could allow an attacker to gain unauthorized access to internal systems and data, leading to potential data breaches or further compromise of the environment.
Recommendation
- Upgrade Vite to a patched version (>= 8.0.5, >= 7.3.2, >= 6.4.2) to remediate the vulnerability.
- Ensure that the Vite development server is not exposed to the public network unless absolutely necessary. If exposure is required, implement strict network access controls.
- Disable the WebSocket server (
server.ws: false) if it is not required for development purposes. - Monitor network connections for unusual WebSocket activity originating from or directed towards Vite development servers. Deploy the following Sigma rule to detect WebSocket connections without an Origin header:
Vite WebSocket Connection Without Origin - Review and restrict the
server.fs.allowconfiguration to limit file system access, even though it is bypassed in this vulnerability.
Detection coverage 2
Vite WebSocket Connection Without Origin
mediumDetects WebSocket connections to a Vite development server without an Origin header, which is a prerequisite for exploiting the arbitrary file read vulnerability.
Vite Dev Server Exposed to Network
lowDetects Vite dev server running with host option exposed to the network.
Detection queries are available on the platform. Get full rules →