CVE-2025-58752
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only apps that explicitly expose the Vite dev server to the network (using –host or server.host config option) and use appType: 'spa' (default) or appType: 'mpa' are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vitejs | vite | < 5.4.20 | affected |
| vitejs | vite | >= 6.0.0, < 6.3.6 | affected |
| vitejs | vite | >= 7.0.0, < 7.0.7 | affected |
| vitejs | vite | >= 7.1.0, < 7.1.5 | affected |
Weaknesses
- CWE-23: CWE-23: Relative Path Traversal
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-284: CWE-284: Improper Access Control
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
- https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f
- https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e
- https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea
- https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.