Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-58751Path Traversal in Vite

CWE-22Path TraversalCWE-200Sensitive Information ExposureCWE-284Improper Access Control6 documents6 sources
Severity
2.3LOWNVD
EPSS
1.4%
top 19.38%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Vitejs Vite
Timeline
PublishedSep 8
Latest updateMar 12

Description

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDvitejs/vite6.0.06.3.6+3
npmvitejs/vite7.1.07.1.5+3
CVEListV5vitejs/vite>= 6.0.0, < 6.3.6, >= 7.0.0, < 7.0.7, >= 7.1.0, < 7.1.5+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
Vite middleware may serve files starting with the same name with the public directory2025-09-09
OSV
Vite middleware may serve files starting with the same name with the public directory2025-09-09

💥Exploits & PoCs

1
Nuclei
Vite Dev Server - Path Traversal

📋Vendor Advisories

2
CISA ICS
Siemens SIDIS Prime2026-03-12
Red Hat
vitejs/vite: lukeed/sirv: Vite middleware may serve files starting with the same name with the public directory2025-09-08