CVE-2025-58751

Summary

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network (using –host or server.host config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

Affected Software

VendorProductVersion RangeStatus
vitejsvite< 5.4.20affected
vitejsvite>= 6.0.0, < 6.3.6affected
vitejsvite>= 7.0.0, < 7.0.7affected
vitejsvite>= 7.1.0, < 7.1.5affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References