Plattform
nodejs
Komponente
vite
Behoben in
5.4.21
6.0.1
7.0.1
7.1.1
7.1.5
CVE-2025-58751 describes a directory traversal vulnerability discovered in Vite, a build tool for JavaScript applications. This flaw allows attackers to potentially access files outside the intended public directory if specific conditions are met. The vulnerability affects Vite versions before 7.1.5 and requires the Vite development server to be exposed to the network and the public directory feature to be enabled, alongside a symlink within the public directory.
The impact of CVE-2025-58751 is contingent on several factors. An attacker must first be able to access the Vite development server over the network, typically achieved by using the --host flag or configuring the server.host option. They must also be utilizing Vite's public directory feature, which is enabled by default. Crucially, a symbolic link (symlink) must exist within the public directory. If all these conditions are met, an attacker can leverage the symlink to traverse outside the intended public directory and potentially access sensitive files on the server's file system. This could include configuration files, source code, or other data that should not be publicly accessible. The potential for data exfiltration and compromise depends on the sensitivity of the files accessible through this traversal.
CVE-2025-58751 has a LOW CVSS score of 2.5. As of the current date, there are no publicly available proof-of-concept exploits. The vulnerability was disclosed on 2025-09-09. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation if the conditions are met warrants attention.
Development teams using Vite with the public directory feature enabled and the Vite development server exposed to the network are at risk. This includes projects utilizing symlinks within the public directory, particularly those with less stringent security practices or those running in shared hosting environments where symlink creation might be easier.
• nodejs / server:
find /path/to/vite/public -type l -print # Check for symlinks in the public directory• nodejs / server:
ps aux | grep 'vite --host' # Check for Vite dev server exposed to the network• generic web:
Inspect the Vite configuration file (vite.config.js) for the server.host option. Ensure it is not set to '0.0.0.0' or a public IP address.
disclosure
Exploit-Status
EPSS
1.42% (80% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-58751 is to upgrade to Vite version 7.1.5 or later, which contains the fix. If upgrading immediately is not feasible, consider temporarily disabling the public directory feature by removing the symlink. Carefully review your Vite configuration to ensure the server.host option is not set to expose the development server to the network unless absolutely necessary. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for suspicious requests attempting to access files outside the expected public directory. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring file system access logs for unusual activity within the public directory is recommended.
Actualice Vite a la versión 5.4.20, 6.3.6, 7.0.7 o 7.1.5, o a una versión posterior. Esto corrige la vulnerabilidad que permite servir archivos desde el directorio público de forma insegura. Asegúrese de no exponer el servidor de desarrollo de Vite a la red sin las debidas precauciones.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-58751 is a directory traversal vulnerability in Vite affecting versions before 7.1.5. It allows attackers to access files outside the intended public directory if the Vite dev server is exposed and symlinks are present.
You are affected if you are using Vite versions prior to 7.1.5, have the public directory feature enabled, and your Vite development server is accessible over the network with symlinks in the public directory.
Upgrade to Vite version 7.1.5 or later. As a temporary workaround, disable the public directory feature by removing any symlinks within the public directory.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants attention and proactive mitigation.
Refer to the Vite project's official security advisories and release notes on their GitHub repository: https://github.com/vitejs/vite
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.