CVE-2025-58751
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2025-09-17

Assigner: GitHub, Inc.

Description
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2025-09-17
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58751
EUVD
EUVD-2025-27181
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vitejs vite to 5.4.20 (exc)
vitejs vite From 6.0.0 (inc) to 6.3.6 (exc)
vitejs vite From 7.0.0 (inc) to 7.0.7 (exc)
vitejs vite From 7.1.0 (inc) to 7.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Vite, a frontend tooling framework for JavaScript, allows files in the public directory that start with the same name to be served bypassing the server.fs settings. This occurs only if the app explicitly exposes the Vite dev server to the network (using --host or server.host config option), uses the public directory feature (enabled by default), and has a symlink in the public directory. This could lead to unintended file serving behavior.

Impact Analysis

The vulnerability could allow unauthorized access to files in the public directory that should be restricted by server.fs settings, potentially exposing sensitive files or data if the conditions are met (exposing the dev server to the network, using the public directory, and having a symlink). This could lead to information disclosure or other security issues.

Mitigation Strategies

To mitigate this vulnerability, update Vite to version 7.1.5, 7.0.7, 6.3.6, or 5.4.20 or later. Additionally, avoid exposing the Vite dev server to the network using the --host or server.host configuration option unless necessary, and be cautious when using the public directory feature with symlinks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart