CVE-2025-58752

LOW EPSS 43.6%
Published Sep 8, 20259mo ago · Modified Jun 17, 20262w ago
2.3 CVSS 4.0
Low
Find Similar
Published Sep 8, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago

Description

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

CVSS Details

Base Score
2.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
43.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 3

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-23
CWE-284

Affected Products 4

VendorProductVersionRange
vitejsvite* <5.4.20
vitejsvite*≥6.0.0  –  <6.3.6
vitejsvite*≥7.0.0  –  <7.0.7
vitejsvite*≥7.1.0  –  <7.1.5

References 5

  • github.com https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f
    Patch
  • github.com https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e
    Patch
  • github.com https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea
    Patch
  • github.com https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6
    Patch
  • github.com https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f
    Patch
  • github.com https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e
    Patch
  • github.com https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea
    Patch
  • github.com https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6
    Patch