Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-58751

Good to know:

icon
icon

Date: September 8, 2025

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or "server.host" config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

Severity Score

Related Resources (9)

https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
https://github.com/vitejs/vite
https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
https://nvd.nist.gov/vuln/detail/CVE-2025-58751
https://www.mend.io/vulnerability-database/CVE-2025-58751

Severity Score

Weakness Type (CWE)

Improper Access Control

CWE-284

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

icon

Upgrade Version

Upgrade to version vite - 7.1.5;vite - 7.0.7;vite - 6.3.6;vite - 5.4.20

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us