Update vite 6.4.1 → 6.4.2 to fix CVE-2026-39363

[Copilot]

Bumps transitive dependency vite from 6.4.1 to 6.4.2 to resolve GHSA-p9ff-h696-f583 — arbitrary file read via dev server WebSocket fetchModule bypassing server.fs restrictions.

• Lock file only change; vite is pulled in transitively by vitest

Reachability Assessment

Not reachable · High confidence

The vulnerability requires a Vite dev server exposed to the network (--host / server.host) with WebSocket enabled. This repo uses vite solely as a transitive dep of vitest for test execution — no dev server is started or network-exposed. Update is to clear the advisory from dependency scanners.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• accounts.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=network --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --mute-audio --crashpad-handler-pid=4255 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/puppeteer_dev_chrome_profile-oO5zxi --change-stack-guard-on-fork=enable --shared-files=network_parent_dirs_pipe:100,v8_context_snapshot_data:101 --metrics-shmem-handle=4,i,17893992808639807028,2294194097169780498,524288 --field-trial-handle=3,i,5634923238529073258,14717395871339934150,262144 --enable-features=PdfOopif --disable-features=AcceptCHFrame,IsolateSandboxedIframes,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version (dns block)
  • Triggering command: /home/REDACTED/work/security-report-action/security-report-action/.cache/puppeteer/chrome/linux-124.0.6367.91/chrome-linux64/chrome /home/REDACTED/work/security-report-action/security-report-action/.cache/puppeteer/chrome/linux-124.0.6367.91/chrome-linux64/chrome --allow-pre-commit-input --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --disable-default-apps --disable-dev-shm-usage --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-REDACTEDing --disable-search-engine-choice-screen --disable-sync --enable-automation (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket</alert_title>
<alert_description>### Summary

server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• WebSocket is not disabled by server.ws: false

Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.

Details

If it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "...").

The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path.

PoC

1. Start the dev server on the target
   Example (used during validation with this repository):

   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173

2. Confirm that access is blocked via the HTTP path (example: arbitrary file)

   curl -i 'http://localhost:5173/@fs/etc/passwd?raw'

   Result: 403 Restricted (outside the allow list)
   

3. Confirm that the same file can be retrieved via the WebSocket path
   By connecting to the HMR WebSocket without an Origin header and sending a vite:invoke request that calls fetchModule with a file://... URL and ?raw, the file contents are returned as a JavaScript module.

high
GHSA-p9ff-h696-f583, CVE-2026-39363
vite
npm
<vulnerable_versions>6.4.1</vulnerable_versions>
<patched_version>6.4.2</patched_version>
<manifest_path>package-lock.json</manifest_path>

https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583 https://github.com/vitejs/vite/pull/22159 https://github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0 https://github.com/vitejs/vite/releases/tag/v6.4.2 https://github.com/vitejs/vite/releases/tag/v7.3.2 https://github.com/vitejs/vite/releases/tag/v8.0.5 https://nvd.nist.gov/vuln/detail/CVE-2026-39363 https://github.com/advisories/GHSA-p9ff-h696-f583

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage patterns that mitigate the vulnerability without a version update. If a workaround is available, apply it and leave a code comment referencing the advisory identifier explaining it is a temporary mitigation. If neither a patch nor a workaround is available, explain in the PR description why the alert cannot be resolved automatica...

• Resolves advanced-security/security-report-action alert #60