fix: update vite 7.3.0 → 7.3.2 (GHSA-p9ff-h696-f583)#750
Merged
Conversation
rithviknishad
previously approved these changes
Apr 8, 2026
rithviknishad
approved these changes
Apr 8, 2026
Copilot
AI
changed the title
[WIP] Fix Vite vulnerability to arbitrary file read via WebSocket
fix: update vite 7.3.0 → 7.3.2 (GHSA-p9ff-h696-f583)
Apr 8, 2026
Copilot stopped work on behalf of
rithviknishad due to an error
April 8, 2026 11:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Patches CVE-2026-39363 — arbitrary file read via Vite dev server WebSocket bypassing
server.fsaccess controls.What
viteat7.3.2(transitive dep ofvitest)Why
High-severity vulnerability: the
fetchModulemethod exposed on Vite's HMR WebSocket does not enforceserver.fsrestrictions, allowing unauthenticated reads of arbitrary files when the dev server is network-exposed.How
viteis not a direct dependency — it's pulled in transitively byvitest@4.1.3. Added a version override inpnpm-workspace.yamlto force resolution to the patched version:Reachability: Not reachable (high confidence)
The vulnerability requires exposing Vite's dev server to the network (
--host/server.host). This codebase has novite.config.*, no Vite dev server usage, and uses Next.js for web serving. Vite is present solely as a vitest transitive dependency. Update satisfies vulnerability scanners.Related Issues
Type of Change
Packages Affected
Quality Checklist
Core Requirements (Mandatory)
Version Management
pnpm changesetfor version-tracked packagesTesting
pnpm testruns successfullypnpm test:coverageto verifyBuild & Type Safety
pnpm build:packagescompletes without errorsDocumentation
/docs) updated if neededPlugin-Specific Requirements
Screenshots / Videos
Original prompt
This section details the Dependabot vulnerability alert you should resolve
<alert_title>Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket</alert_title>
<alert_description>### Summary
server.fscheck was not enforced to thefetchModulemethod that is exposed in Vite dev server's WebSocket.Impact
Only apps that match the following conditions are affected:
--hostorserver.hostconfig option)server.ws: falseArbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.
Details
If it is possible to connect to the Vite dev server’s WebSocket without an
Originheader, an attacker can invokefetchModulevia the custom WebSocket eventvite:invokeand combinefile://...with?raw(or?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g.,export default "...").The access control enforced in the HTTP request path (such as
server.fs.allow) is not applied to this WebSocket-based execution path.PoC
Start the dev server on the target
Example (used during validation with this repository):
pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173Confirm that access is blocked via the HTTP path (example: arbitrary file)
curl -i 'http://localhost:5173/@fs/etc/passwd?raw'Result:
403 Restricted(outside the allow list)Confirm that the same file can be retrieved via the WebSocket path
By connecting to the HMR WebSocket without an
Originheader and sending avite:invokerequest that callsfetchModulewith afile://...URL and?raw, the file contents are returned as a JavaScript module.high
https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583 https://github.com/vitejs/vite/pull/22159 https://github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0 https://github.com/vitejs/vite/releases/tag/v6.4.2 https://github.com/vitejs/vite/releases/tag/v7.3.2 https://github.com/vitejs/vite/releases/tag/v8.0.5 https://nvd.nist.gov/vuln/detail/CVE-2026-39363 https://github.com/advisories/GHSA-p9ff-h696-f583GHSA-p9ff-h696-f583, CVE-2026-39363
vite
npm
<vulnerable_versions>7.3.0</vulnerable_versions>
<patched_version>7.3.2</patched_version>
<manifest_path>pnpm-lock.yaml</manifest_path>
<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage patterns that mitigate the vulnerability without a version update. If a workaround is available, apply it and leave a code comment referencing the advisory identifier explaining it is a temporary mitigation. If neither a patch nor a workaround is available, explain in the PR description why the alert cannot be resolved automatically...