CVE-2025-58752
published 2025-09-08CVE-2025-58752: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.59%
43.6th percentile
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | < 5.4.20 | 5.4.20 |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 0 < 5.4.20 | 5.4.20 |
| vitejs | vite | >= 6.0.0 < 6.3.6 | 6.3.6 |
| vitejs | vite | >= 6.0.0 < 6.3.6 | 6.3.6 |
| vitejs | vite | >= 7.0.0 < 7.0.7 | 7.0.7 |
| vitejs | vite | >= 7.0.0 < 7.0.7 | 7.0.7 |
| vitejs | vite | >= 7.1.0 < 7.1.5 | 7.1.5 |
| vitejs | vite | >= 7.1.0 < 7.1.5 | 7.1.5 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIDIS Prime
cisa_ics·2026-03-12·CVSS 7.5
[HIGH] Siemens SIDIS Prime
ICS Advisory
##
Siemens SIDIS Prime
Release DateMarch 12, 2026
Alert CodeICSA-26-071-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
SIDIS Prime before V4.0.800 is affected by multiple vulnerabilities in the components OpenSSL, SQLite, and several Node.js packages as described below. Siemens has released a new version of SIDIS Prime and recommends to update to the latest version.
The following versions of Siemens SIDIS Prime are affected:
- SIDIS Prime vers:intdot/<4.0.800 (CVE-2024-29857, CVE-2024-30171, CVE-2024-30172, CVE-2024-41996, CVE-2025-6965, CVE-2025-7783, CVE-2025-9230, CVE-2025-9232, CVE-2025-9670, CVE-2025-12816, CVE-2025-15284, CVE-2025-58751, CVE-2025-58752, CVE-2025-58754, CVE-202
Red Hat
vite: Vite's `server.fs` settings were not applied to HTML files
vendor_redhat·2025-09-08·CVSS 2.3
CVE-2025-58752 [LOW] CWE-22 vite: Vite's `server.fs` settings were not applied to HTML files
vite: Vite's `server.fs` settings were not applied to HTML files
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
A path traversal / static-file serving bypass vulnerability has been identified in Vite’s static file server, where HTML files located outside the configured root or deny/allo
GHSA
Vite's `server.fs` settings were not applied to HTML files
ghsa·2025-09-09
CVE-2025-58752 [LOW] CWE-200 Vite's `server.fs` settings were not applied to HTML files
Vite's `server.fs` settings were not applied to HTML files
### Summary
Any HTML files on the machine were served regardless of the `server.fs` settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))
- `appType: 'spa'` (default) or `appType: 'mpa'` is used
This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.
### Details
The [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static fi
OSV
Vite's `server.fs` settings were not applied to HTML files
osv·2025-09-09
CVE-2025-58752 [LOW] Vite's `server.fs` settings were not applied to HTML files
Vite's `server.fs` settings were not applied to HTML files
### Summary
Any HTML files on the machine were served regardless of the `server.fs` settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))
- `appType: 'spa'` (default) or `appType: 'mpa'` is used
This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.
### Details
The [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static fi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5fhttps://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1ehttps://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddeahttps://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
2025-09-08
Published