CVE-2025-58752

Exploit

EPSS 0.59%
Veröffentlicht 08.09.2025 22:56:58
Zuletzt bearbeitet 17.09.2025 16:12:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vite's `server.fs` settings were not applied to HTML files

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 8

NVD 4 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vitejs ≫ Vite SwPlatformnode.js Version < 5.4.20

Vitejs ≫ Vite SwPlatformnode.js Version >= 6.0.0 < 6.3.6

Vitejs ≫ Vite SwPlatformnode.js Version >= 7.0.0 < 7.0.7

Vitejs ≫ Vite SwPlatformnode.js Version >= 7.1.0 < 7.1.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.59%	0.433

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	2.3	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3

Third Party Advisory

Exploit

https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f

Patch

https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e

Patch

https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea

Patch

https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-58752

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-58752

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-58752

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-58752