CVE-2025-58751
2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network (using –host or server.host config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vitejs | vite | < 5.4.20 | affected |
| vitejs | vite | >= 6.0.0, < 6.3.6 | affected |
| vitejs | vite | >= 7.0.0, < 7.0.7 | affected |
| vitejs | vite | >= 7.1.0, < 7.1.5 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-284: CWE-284: Improper Access Control
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
- https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
- https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
- https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
- https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
- https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.