CVE-2025-58752 LOW

CVE-2025-58752: Vite's `server.fs` settings were not applied to HTML files

Vendor Vitejs

Product vite

Weakness CWE-23

Published September 8, 2025

Last update September 9, 2025

View on NVD All CVEs

CVSS base score

2.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

Key dates

02Disclosure timeline

September 8, 2025 CVE published

September 9, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-58752

Related vulnerabilities

Identifiers

CVE CVE-2025-58752

CWE CWE-23

CVSS 2.3 / LOW

Affected versions

Vendor Vitejs

Product vite

Affected < 5.4.20

Vendor Vitejs

Product vite

Affected >= 6.0.0, < 6.3.6

Vendor Vitejs

Product vite

Affected >= 7.0.0, < 7.0.7

Vendor Vitejs

Product vite

Affected >= 7.1.0, < 7.1.5

CVE-2025-58752: Vite's `server.fs` settings were not applied to HTML files

01Description

02Disclosure timeline

03References

04Related CVE