🚨 [security] Update vite 7.3.0 → 7.3.2 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ vite (7.3.0 → 7.3.2) · Repo · Changelog

Security Advisories 🚨

🚨 Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Summary

server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• WebSocket is not disabled by server.ws: false

Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.

Details

If it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "...").

The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path.

PoC

1. Start the dev server on the target
   Example (used during validation with this repository):

   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173

2. Confirm that access is blocked via the HTTP path (example: arbitrary file)

   curl -i 'http://localhost:5173/@fs/etc/passwd?raw'

   Result: 403 Restricted (outside the allow list)
   

3. Confirm that the same file can be retrieved via the WebSocket path
   By connecting to the HMR WebSocket without an Origin header and sending a vite:invoke request that calls fetchModule with a file://... URL and ?raw, the file contents are returned as a JavaScript module.

🚨 Vite: `server.fs.deny` bypassed with queries

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• the sensitive file exists in the allowed directories specified by server.fs.allow
• the sensitive file is denied with a pattern that matches a file by server.fs.deny

Details

On the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended.

PoC

1. Start the dev server: pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
2. Confirm that server.fs.deny is enforced (expect 403): curl -i http://127.0.0.1:5175/src/.env | head -n 20
   
3. Confirm that the same files can be retrieved with query parameters (expect 200):
   

🚨 Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

1. Create a minimal PoC sourcemap outside the project root

   cat > /tmp/poc.map <<'EOF'
   {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
   EOF

2. Start the Vite dev server (example)

   pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080

3. Confirm that direct /@fs access is blocked by strict (returns 403)
   
4. Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map
   

Release Notes

7.3.2

Please refer to CHANGELOG.md for details.

7.3.1

Please refer to CHANGELOG.md for details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

• release: v7.3.2
• fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fix: check `server.fs` after stripping query as well (#22160)
• fix: backport #22159, apply server.fs check to env transport (#22162)
• test: reduce fs-serve flaky failure (#22000)
• test: extract common tests for fs-serve (#21750)
• docs: show old document warning (#21972)
• docs(deps): update vue to fix docs build
• docs(live): update calendar link (#21808)
• feat: add live page to docs (#21782)
• docs: revert "docs: remove scrimba link temporarily" (#21604)
• docs: remove scrimba link temporarily (#21598)
• release: create-vite@8.3.0
• feat(create-vite): use Vite 8 beta instead of rolldown-vite (#21597)
• fix(create-vite): update deprecated tsrouter-app to `@tanstack/cli` (#21527)
• feat(create-vite): show description for template variants (#21403)
• fix(deps): update `@clack/prompts` to 1.0.0-alpha.9 (#21421)
• fix(create-vite): skip irrelevant "immediate" prompt for external commands (#21410)
• fix(create-vite): do not create empty directory for custom commands (#21367)
• docs(degit): switch to recommending tiged (#21148)
• fix(create-vite): update QwikCity custom command to "empty" template (#21279)
• feat(create-vite): add ember (#20069)
• feat(create-vite): add AI agent experience (AX) support (#21116)
• docs: add Scrimba tutorial links across documentation (#21467)
• docs: update voidzero sponsor logo
• docs: rebrand (#21339) (#21399)
• release: v7.3.1
• feat: add `ignoreOutdatedRequests` option to `optimizeDeps` (#21364)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ask-hadith	Ready	Preview, Comment	Apr 6, 2026 8:08pm

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}