CVE-2025-58751
published 2025-09-08CVE-2025-58751: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public…
PriorityP340medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
1.18%
63.8th percentile
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | < 5.4.20 | 5.4.20 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 5.4.20 | 5.4.20 |
| vitejs | vite | >= 6.0.0 < 6.3.6 | 6.3.6 |
| vitejs | vite | >= 6.0.0 < 6.3.6 | 6.3.6 |
| vitejs | vite | >= 7.0.0 < 7.0.7 | 7.0.7 |
| vitejs | vite | >= 7.0.0 < 7.0.7 | 7.0.7 |
| vitejs | vite | >= 7.1.0 < 7.1.5 | 7.1.5 |
| vitejs | vite | >= 7.1.0 < 7.1.5 | 7.1.5 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIDIS Prime
cisa_ics·2026-03-12·CVSS 7.5
[HIGH] Siemens SIDIS Prime
ICS Advisory
##
Siemens SIDIS Prime
Release DateMarch 12, 2026
Alert CodeICSA-26-071-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
SIDIS Prime before V4.0.800 is affected by multiple vulnerabilities in the components OpenSSL, SQLite, and several Node.js packages as described below. Siemens has released a new version of SIDIS Prime and recommends to update to the latest version.
The following versions of Siemens SIDIS Prime are affected:
- SIDIS Prime vers:intdot/<4.0.800 (CVE-2024-29857, CVE-2024-30171, CVE-2024-30172, CVE-2024-41996, CVE-2025-6965, CVE-2025-7783, CVE-2025-9230, CVE-2025-9232, CVE-2025-9670, CVE-2025-12816, CVE-2025-15284, CVE-2025-58751, CVE-2025-58752, CVE-2025-58754, CVE-202
Red Hat
vitejs/vite: lukeed/sirv: Vite middleware may serve files starting with the same name with the public directory
vendor_redhat·2025-09-08·CVSS 2.3
CVE-2025-58751 [LOW] CWE-22 vitejs/vite: lukeed/sirv: Vite middleware may serve files starting with the same name with the public directory
vitejs/vite: lukeed/sirv: Vite middleware may serve files starting with the same name with the public directory
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
A path traversal vulnerability has been identified in Vite’s static file serving logic, where files outside of the intended public directory may be served if their names share the same prefix
GHSA
Vite middleware may serve files starting with the same name with the public directory
ghsa·2025-09-09
CVE-2025-58751 [LOW] CWE-200 Vite middleware may serve files starting with the same name with the public directory
Vite middleware may serve files starting with the same name with the public directory
### Summary
Files starting with the same name with the public directory were served bypassing the `server.fs` settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default)
- a symlink exists in the public directory
### Details
The [servePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L79) function is in charge o
OSV
Vite middleware may serve files starting with the same name with the public directory
osv·2025-09-09
CVE-2025-58751 [LOW] Vite middleware may serve files starting with the same name with the public directory
Vite middleware may serve files starting with the same name with the public directory
### Summary
Files starting with the same name with the public directory were served bypassing the `server.fs` settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))
- uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default)
- a symlink exists in the public directory
### Details
The [servePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L79) function is in charge o
No detection rules found.
Nuclei
Vite Dev Server - Path Traversal
nuclei·CVSS 2.3
CVE-2025-58751 [LOW] Vite Dev Server - Path Traversal
Vite Dev Server - Path Traversal
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Template:
id: CVE-2025-58751
info:
name: Vite Dev Server - Path Traversal
author: wn147
severity: low
description: |
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the publ
Bugzilla
CVE-2025-58751 golang-github-task: Vite middleware may serve files starting with the same name with the public directory [fedora-42]
bugzilla·2025-09-15·CVSS 2.3
CVE-2025-58751 [LOW] CVE-2025-58751 golang-github-task: Vite middleware may serve files starting with the same name with the public directory [fedora-42]
CVE-2025-58751 golang-github-task: Vite middleware may serve files starting with the same name with the public directory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-0
Bugzilla
CVE-2025-58751 h3: Vite middleware may serve files starting with the same name with the public directory [fedora-42]
bugzilla·2025-09-15·CVSS 2.3
CVE-2025-58751 [LOW] CVE-2025-58751 h3: Vite middleware may serve files starting with the same name with the public directory [fedora-42]
CVE-2025-58751 h3: Vite middleware may serve files starting with the same name with the public directory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedo
https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997ebhttps://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600dhttps://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaechttps://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997chttps://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
2025-09-08
Published