Platform
nodejs
Component
vite
Fixed in
5.4.21
6.0.1
7.0.1
7.1.1
7.1.5
CVE-2025-58751 describes a directory traversal vulnerability discovered in Vite, a build tool for JavaScript applications. This flaw allows attackers to potentially access files outside the intended public directory if specific conditions are met. The vulnerability affects Vite versions before 7.1.5 and requires the Vite development server to be exposed to the network and the public directory feature to be enabled, alongside a symlink within the public directory.
The impact of CVE-2025-58751 is contingent on several factors. An attacker must first be able to access the Vite development server over the network, typically achieved by using the --host flag or configuring the server.host option. They must also be utilizing Vite's public directory feature, which is enabled by default. Crucially, a symbolic link (symlink) must exist within the public directory. If all these conditions are met, an attacker can leverage the symlink to traverse outside the intended public directory and potentially access sensitive files on the server's file system. This could include configuration files, source code, or other data that should not be publicly accessible. The potential for data exfiltration and compromise depends on the sensitivity of the files accessible through this traversal.
CVE-2025-58751 has a LOW CVSS score of 2.5. As of the current date, there are no publicly available proof-of-concept exploits. The vulnerability was disclosed on 2025-09-09. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation if the conditions are met warrants attention.
Exploit Status
EPSS
1.42% (80% percentile)
CISA SSVC
The primary mitigation for CVE-2025-58751 is to upgrade to Vite version 7.1.5 or later, which contains the fix. If upgrading immediately is not feasible, consider temporarily disabling the public directory feature by removing the symlink. Carefully review your Vite configuration to ensure the server.host option is not set to expose the development server to the network unless absolutely necessary. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for suspicious requests attempting to access files outside the expected public directory. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring file system access logs for unusual activity within the public directory is recommended.
Update Vite to version 5.4.20, 6.3.6, 7.0.7, or 7.1.5, or a later version. This corrects the vulnerability that allows serving files from the public directory insecurely. Ensure you do not expose the Vite development server to the network without proper precautions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58751 is a directory traversal vulnerability in Vite affecting versions before 7.1.5. It allows attackers to access files outside the intended public directory if the Vite dev server is exposed and symlinks are present.
You are affected if you are using Vite versions prior to 7.1.5, have the public directory feature enabled, and your Vite development server is accessible over the network with symlinks in the public directory.
Upgrade to Vite version 7.1.5 or later. As a temporary workaround, disable the public directory feature by removing any symlinks within the public directory.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants attention and proactive mitigation.
Refer to the Vite project's official security advisories and release notes on their GitHub repository: https://github.com/vitejs/vite
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.