CVE-2025-58752Relative Path Traversal in Vite

CWE-23Relative Path TraversalCWE-200Sensitive Information ExposureCWE-284Improper Access ControlCWE-22Path Traversal5 documents5 sources
Severity
2.3LOWNVD
EPSS
0.0%
top 95.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vitejs Vite
Timeline
PublishedSep 8
Latest updateMar 12

Description

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDvitejs/vite6.0.06.3.6+3
npmvitejs/vite7.1.07.1.5+3
CVEListV5vitejs/vite>= 6.0.0, < 6.3.6, >= 7.0.0, < 7.0.7, >= 7.1.0, < 7.1.5+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
Vite's `server.fs` settings were not applied to HTML files2025-09-09
OSV
Vite's `server.fs` settings were not applied to HTML files2025-09-09

📋Vendor Advisories

2
CISA ICS
Siemens SIDIS Prime2026-03-12
Red Hat
vite: Vite's `server.fs` settings were not applied to HTML files2025-09-08