CVE-2025-58752

Exploit

EPSS 0.03%
Veröffentlicht 08.09.2025 22:56:58
Zuletzt bearbeitet 17.09.2025 16:12:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vitejs ≫ Vite SwPlatformnode.js Version < 5.4.20

Vitejs ≫ Vite SwPlatformnode.js Version >= 6.0.0 < 6.3.6

Vitejs ≫ Vite SwPlatformnode.js Version >= 7.0.0 < 7.0.7

Vitejs ≫ Vite SwPlatformnode.js Version >= 7.1.0 < 7.1.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.059

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	2.3	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3

Third Party Advisory

Exploit

https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f

Patch

https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e

Patch

https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea

Patch

https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-58752

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-58752

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-58752

EUVD