CVE-2025-58752

MEDIUM

Vite <7.1.5, 7.0.7, 6.3.6, 5.4.20 - Info Disclosure

Title source: llm

Description

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

References (5)

[Exploit, Third Party Advisory] https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3

[Patch] https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f

[Patch] https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e

[Patch] https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea

[Patch] https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 4.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284 CWE-200 CWE-23

Status published

Products (2)

npm/vite 7.1.0 - 7.1.5npm

vitejs/vite < 5.4.20

Published Sep 08, 2025

Tracked Since Feb 18, 2026