Vite is a widely used front-end development tool; any organization whose development pipeline exposes Vite's dev server to untrusted networks is at risk of source code and configuration file exposure without authentication. Leaked source maps can reveal proprietary application logic, internal API structures, and hardcoded secrets — providing attackers with the reconnaissance needed to mount deeper intrusions. If secrets or credentials were exposed, the organization faces downstream breach risk, potential regulatory notification obligations, and reputational harm if client-facing systems are subsequently compromised.
You Are Affected If
You run vitejs/vite 6.0.0–6.4.1, 7.x–7.3.1, or 8.x–8.0.4 in any environment
Your Vite development server is accessible from outside localhost or an isolated development network
You have not yet upgraded to vitejs/vite 6.4.2, 7.3.2, or 8.0.5
Your Vite configuration does not enforce server.host: 'localhost' and server.fs.strict: true as compensating controls
Your .env files, API keys, or other secrets are present in directories accessible to the Vite dev server process
Board Talking Points
A confirmed, actively exploited vulnerability in a widely used development tool allows attackers to read sensitive files — including source code and credentials — from affected systems without authentication.
Development and engineering teams should upgrade all Vite installations to the patched version (6.4.2, 7.3.2, or 8.0.5) within 24–48 hours, with immediate network-level blocking of any externally exposed dev servers.
Organizations that do not act risk credential theft and source code exposure that could enable deeper system compromise and potential regulatory notification obligations.
