CVE-2025-58751 LOW

CVE-2025-58751: Vite middleware may serve files starting with the same name with the public directory

Vendor Vitejs
Product vite
Weakness CWE-22 · Path traversal
Published September 8, 2025
Last update September 9, 2025

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

Key dates

02Disclosure timeline

September 8, 2025 CVE published
September 9, 2025 Record updated

Related vulnerabilities

04Related CVE