CVE-2025-58752
Last modified
CVE-2025-58752 is a low-severity vulnerability rated 2.3/10 on the CVSS scale. Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. EPSS estimates a 0.59% chance of exploitation in the next 30 days.
Description
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vitejs | Vite | < 5.4.20 |
| Vitejs | Vite | >= 6.0.0, < 6.3.6 |
| Vitejs | Vite | >= 7.0.0, < 7.0.7 |
| Vitejs | Vite | >= 7.1.0, < 7.1.5 |
References
- https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3Exploit, Third Party Advisory
- https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-58752?
How severe is CVE-2025-58752?
How do I fix CVE-2025-58752?
Are you affected by CVE-2025-58752?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST