CVE-2025-58751
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vitejs | vite | to 5.4.20 (exc) |
| vitejs | vite | From 6.0.0 (inc) to 6.3.6 (exc) |
| vitejs | vite | From 7.0.0 (inc) to 7.0.7 (exc) |
| vitejs | vite | From 7.1.0 (inc) to 7.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Vite, a frontend tooling framework for JavaScript, allows files in the public directory that start with the same name to be served bypassing the server.fs settings. This occurs only if the app explicitly exposes the Vite dev server to the network (using --host or server.host config option), uses the public directory feature (enabled by default), and has a symlink in the public directory. This could lead to unintended file serving behavior.
How can this vulnerability impact me? :
The vulnerability could allow unauthorized access to files in the public directory that should be restricted by server.fs settings, potentially exposing sensitive files or data if the conditions are met (exposing the dev server to the network, using the public directory, and having a symlink). This could lead to information disclosure or other security issues.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Vite to version 7.1.5, 7.0.7, 6.3.6, or 5.4.20 or later. Additionally, avoid exposing the Vite dev server to the network using the --host or server.host configuration option unless necessary, and be cautious when using the public directory feature with symlinks.