CVE-2026-39363

HIGH NUCLEI

Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Title source: cna

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-39363. PoCs published by Hex0rc1st, f4s1on, Firebasky. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-39363, a Vite Dev Server WebSocket arbitrary file read vulnerability. The exploit leverages a security check bypass in the `fetchModule` RPC call to read files outside the project directory when `server.fs.allow` is loosely configured.

Description

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Exploits (3)

github NO CODE 1 stars

by Hex0rc1st · pythonpoc

https://github.com/Hex0rc1st/CVE_POC_monitor/tree/main/article/uploads/demo_1775787363/【已复现】Vite WebSocket 任意文件读取漏洞(CVE-2026-39363)安全风险通告

View Code ZIP pw:eip

nomisec FAILED

by f4s1on · poc

https://github.com/f4s1on/CVE-2026-39363

View Code ZIP pw:eip

nomisec WORKING POC

by Firebasky · poc

https://github.com/Firebasky/CVE-2026-39363

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-39363, a Vite Dev Server WebSocket arbitrary file read vulnerability. The exploit leverages a security check bypass in the `fetchModule` RPC call to read files outside the project directory when `server.fs.allow` is loosely configured.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Vite Dev Server < 6.2.3, < 6.1.2, < 6.0.12, < 5.4.15, < 4.5.10

No auth needed

Prerequisites: Vite Dev Server exposed on network · Loose `server.fs.allow` configuration · Access to `wsToken`

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 09, 2026 Full analysis →

Nuclei Templates (1)

Vite Dev Server - Arbitrary File Read

HIGHVERIFIEDby theamanrawat

Shodan: title:"Vite App"

FOFA: body="/@vite/client"

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583

Scores

CVSS v3 7.5

EPSS 0.0571

EPSS Percentile 90.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200 CWE-306

Status published

Products (8)

npm/vite 8.0.0 - 8.0.5npm

vitejs/vite 6.0.0 - 6.4.1

vitejs/vite >= 6.0.0, < 6.4.2

vitejs/vite >= 7.0.0, < 7.3.2

vitejs/vite >= 8.0.0, < 8.0.5

vitejs/vite-plus < 0.1.15

vitejs/vite-plus < 0.1.16

voidzero/vite\+ < 0.1.15

Published Apr 07, 2026

Tracked Since Apr 08, 2026