## Vite Dev Server Path Traversal Vulnerability Exposes Files Outside Project Root
A path traversal vulnerability in Vite's development server enables unauthorized file access by bypassing the server's file system restrictions. The flaw affects versions 6.0.0 through 6.4.1, 7.x before 7.3.2, and 8.x before 8.0.5, where the dev server's handling of .map requests resolves file paths without filtering "../" sequences from URLs.

The vulnerability specifically targets the dev server's source map request processing mechanism. By crafting URLs containing directory traversal sequences, attackers can circumvent the server.fs.strict allow list and retrieve .map files located outside the project root directory. The retrieved files must still be parseable as valid source map JSON, which somewhat constrains the scope of accessible content. However, source map files frequently contain application source code fragments and debugging metadata, creating potential exposure of sensitive application logic.

The issue has been remediated in versions 6.4.2, 7.3.2, and 8.0.5. Organizations running affected Vite versions in development environments should upgrade immediately. Production builds are unaffected since the vulnerability exists solely within the dev server functionality. Given that development servers often operate with broader file system access for debugging purposes, the risk of local file inclusion is elevated compared to hardened production configurations.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: path traversal, information disclosure, source maps, dev server, security vulnerability
- **Credibility**: unverified
- **Published**: 2026-04-23 18:54:10
- **ID**: 76500
- **URL**: https://whisperx.ai/en/intel/76500