Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-58752
Good to know:
Date: September 8, 2025
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the "server.fs" settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use "appType: 'spa'" (default) or "appType: 'mpa'" are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Severity Score
Related Resources (9)
Severity Score
Weakness Type (CWE)
Top Fix
Upgrade Version
Upgrade to version vite - 5.4.20;vite - 6.3.6;vite - 7.0.7;vite - 7.1.5;vite - 5.4.20;https://github.com/vitejs/vite.git - v5.4.20;https://github.com/vitejs/vite.git - v6.3.6;https://github.com/vitejs/vite.git - v7.0.7;https://github.com/vitejs/vite.git - v7.1.5
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | REQUIRED |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | NONE |
| Availability (A): | NONE |