Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0979

NIXPKGS-2026-0979
published on
Permalink CVE-2026-39363
updated 2 days, 1 hour ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 10 hours ago
  • @LeSuisse removed
    7 packages
    • vite
    • vitess
    • vitetris
    • python312Packages.django-vite
    • python313Packages.django-vite
    • python314Packages.django-vite
    • vscode-extensions.vitest.explorer
    2 days, 1 hour ago
  • @LeSuisse accepted 2 days, 1 hour ago
  • @LeSuisse published on GitHub 2 days, 1 hour ago
Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "..."). The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path. This vulnerability is fixed in 6.4.2, 7.3.2, and 8.0.5.

Affected products

vite
  • ==>= 8.0.0, < 8.0.5
  • ==>= 7.0.0, < 7.3.2
  • ==>= 6.0.0, < 6.4.2
vite-plus
  • ==< 0.1.16

Matching in nixpkgs

pkgs.vitejs

Frontend tooling for NodeJS

Ignored packages (7)

pkgs.vite

Visual Trace Explorer (ViTE), a tool to visualize execution traces

  • nixos-unstable 1.4
    • nixpkgs-unstable 1.4
    • nixos-unstable-small 1.4
  • nixos-25.11 1.4
    • nixos-25.11-small 1.4
    • nixpkgs-25.11-darwin 1.4

pkgs.vitess

Database clustering system for horizontal scaling of MySQL