CVE-2025-58751
Severity CVSS v4.0:
LOW
Type:
CWE-22
Path Traversal
Publication date:
08/09/2025
Last modified:
17/09/2025
Description
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Impact
Base Score 4.0
2.30
Severity 4.0
LOW
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:* | 5.4.20 (excluding) | |
| cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:* | 6.0.0 (including) | 6.3.6 (excluding) |
| cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:* | 7.0.0 (including) | 7.0.7 (excluding) |
| cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:* | 7.1.0 (including) | 7.1.5 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
- https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
- https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
- https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
- https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
- https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
- https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c