GHSA-P9FF-H696-F583: Arbitrary File Read via Vite Dev Server WebSocket RPC

The Vite frontend tooling framework provides a development server designed to accelerate local software engineering workflows. This development server relies on a Hot Module Replacement (HMR) mechanism to push code updates to the browser without requiring a full page refresh. Communication between the development server and the browser relies on a bidirectional WebSocket channel.

The vulnerability, tracked as GHSA-P9FF-H696-F583, represents an authorization bypass within this WebSocket interface. The bug class corresponds to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control). The vulnerability manifests because the remote procedure call (RPC) mechanism fails to enforce the filesystem boundaries that restrict standard HTTP requests.

Exploitation of this flaw grants an unauthenticated attacker the ability to read arbitrary files from the machine hosting the Vite development server. This attack requires the server to be exposed to the local network or internet using the --host configuration flag. Systems running exposed development servers inside CI/CD pipelines or shared developer environments present the highest risk profile.

Vite restricts file system access to prevent external entities from reading arbitrary files outside the workspace directory. Standard HTTP requests destined for the development server pass through transformMiddleware. This middleware explicitly validates the requested file path against the server.fs.allow configuration directive.

The root cause of GHSA-P9FF-H696-F583 lies in an alternative execution path exposed by the HotChannel WebSocket connection. This channel implements a custom RPC mechanism intended for development tasks. The channel exposes a vite:invoke command, which allows connected clients to trigger the execution of server-side methods, specifically the fetchModule function.

The fetchModule execution path completely bypassed the transformMiddleware filesystem checks. Consequently, an attacker communicating directly over the WebSocket protocol faced no authorization boundaries. The underlying file system access functions executed the read operations using the privileges of the running Node.js process.

To extract the file content rather than execute it, attackers appended query parameters such as ?raw or ?inline to the requested file path. This parameter instructed the Vite transformation pipeline to skip module compilation and return the raw file content encapsulated within an exported JavaScript string.

The pre-patch architecture coupled filesystem access checks directly to the HTTP middleware pipeline. Methods exposed via the WebSocket interface assumed the client possessed authorization to request workspace files. This architectural flaw enabled the bypass.

The maintainers resolved the vulnerability in commit f02d9fde0b195afe3ea2944414186962fbbe41e0. The primary structural change involved relocating the isServerAccessDeniedForTransform logic. Instead of residing solely in the HTTP middleware, the check now exists inside the core transformRequest function.

// Inside transformRequest (Patch Snapshot)
if (!skipFsCheck && isServerAccessDeniedForTransform(url, server)) {
  throw new Error(`Access denied to ${url}`);
}

This modification ensures that any module transformation, regardless of the entry point (HTTP or WebSocket), must satisfy the filesystem boundary checks. The patch introduced a skipFsCheck boolean to accommodate trusted internal operations.

Additionally, the patch hardens the default client environment. The default DevEnvironment object now includes a disableFetchModule: true property. This secondary defense mechanism outright prevents the WebSocket interface from processing fetchModule requests initiated by untrusted clients.

Exploitation requires the target Vite development server to accept network connections. This condition is satisfied when developers start Vite with the --host 0.0.0.0 argument or configure server.host identically. The WebSocket server listens on the same port as the development web interface.

The attacker initiates the exploit chain by establishing a direct WebSocket connection to the target port. If direct network access is constrained by firewalls but the attacker controls a website visited by the developer, the attacker can leverage Cross-Site WebSocket Hijacking (CSWSH). CSWSH succeeds because the default WebSocket configuration often lacks strict Origin header validation.

Once the WebSocket connection initializes, the attacker constructs a JSON-formatted payload mimicking the vite:invoke custom event. The payload explicitly requests the fetchModule method and passes an absolute file:// URI appended with the ?raw query parameter.

{
  "type": "custom",
  "event": "vite:invoke",
  "data": {
    "name": "fetchModule",
    "id": "exploit_id",
    "data": ["file:///etc/passwd?raw"]
  }
}

The server receives the payload, bypasses the filesystem check, and returns a JSON response containing the file data. The raw file content arrives wrapped in standard JavaScript export syntax, requiring the attacker to parse the string to reconstruct the original system file.

The vulnerability results in a total loss of confidentiality for the underlying host filesystem. The attacker operates with the exact read privileges assigned to the user executing the Vite process. In modern development workflows, this typically equates to full access over the user's home directory and active workspace.

Attackers systematically target high-value assets stored locally by developers. Immediate targets include SSH keys located in ~/.ssh/, cloud provider credentials in ~/.aws/credentials, and hardcoded secrets within .env files. Access to these files facilitates subsequent lateral movement into production environments or source code repositories.

The CVSS v4.0 vector (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) generates a score of 8.2. The metric AT:P (Attack Requirements: Present) accurately reflects the prerequisite that the server must be explicitly exposed via the --host configuration. The High Confidentiality (VC:H) metric underscores the severity of the arbitrary file read capability.

The comprehensive remediation strategy requires upgrading the vite package to a securely patched version. Organizations utilizing Vite 6.x must upgrade to version 6.4.2. Projects relying on Vite 7.x must upgrade to version 7.3.2. Environments operating Vite 8.x require an upgrade to version 8.0.5.

If immediate software updates are impossible, administrators must eliminate network exposure. Remove the --host argument from package scripts and ensure server.host is undefined or explicitly bound to the loopback interface (127.0.0.1). This action restricts the attack surface strictly to the local machine.

Security teams should proactively audit the server.fs.allow configuration directive across all Vite projects. Ensure that server.fs.strict remains enabled (the default behavior) and that the allowed paths specify the narrowest possible directories required for the application to function. This defense-in-depth measure mitigates the impact of unknown filesystem bypasses.

The provided patch represents a complete fix for the specific flaw. By centralizing the filesystem authorization check inside the transformRequest function, the maintainers structurally eliminated the possibility of alternate entry points bypassing the security boundaries.