CVE-2025-58752
MEDIUMVite <7.1.5, 7.0.7, 6.3.6, 5.4.20 - Info Disclosure
Title source: llmDescription
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
Patch x_refsource_misc
https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f
Patch x_refsource_misc
https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e
Patch x_refsource_misc
https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea
Patch x_refsource_misc
https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6
Scores
CVSS v3
5.3
EPSS
0.0059
EPSS Percentile
43.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
CWE-200
CWE-23
Status
published
Products (2)
npm/vite
7.1.0 - 7.1.5npm
vitejs/vite
< 5.4.20
Published
Sep 08, 2025
Tracked Since
Feb 18, 2026