Platform
nodejs
Component
vite
Fixed in
5.4.21
6.0.1
7.0.1
7.1.1
7.1.5
CVE-2025-58752 describes a vulnerability in Vite where any HTML files on the system could be served, bypassing the intended server.fs settings. This allows unauthorized access to sensitive files. The vulnerability impacts Vite versions before 7.1.5 and affects applications explicitly exposing the Vite dev server to the network with appType: 'spa' or appType: 'mpa'. A fix is available in version 7.1.5.
The primary impact of CVE-2025-58752 is unauthorized information disclosure. An attacker who can access the exposed Vite development server could potentially retrieve arbitrary HTML files from the system. This could include sensitive configuration files, internal documentation, or even parts of the application's codebase. The vulnerability is particularly concerning for development environments where sensitive data might be present. The preview server is also affected, allowing access to HTML files outside the intended output directory. This vulnerability is not a remote code execution (RCE) issue; it's a file disclosure vulnerability.
CVE-2025-58752 has been publicly disclosed. As of the current date, there are no known public proof-of-concept exploits. The vulnerability's CVSS score is LOW (2.5), indicating a relatively low probability of exploitation. It was published on 2025-09-09. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The primary mitigation for CVE-2025-58752 is to upgrade to Vite version 7.1.5 or later. If upgrading is not immediately feasible, restrict access to the Vite development server by ensuring it is not exposed to the network (remove --host flag or set server.host to localhost). Consider using a reverse proxy or firewall to further restrict access. Regularly review and update your Vite configuration to ensure it adheres to security best practices. After upgrading, confirm the fix by attempting to access arbitrary HTML files through the development server; they should be denied.
Actualice Vite a la versión 7.1.5 o superior. Si no puede actualizar inmediatamente, evite exponer el servidor de desarrollo de Vite a la red (no use `--host` o la opción de configuración `server.host`) y asegúrese de no usar `appType: 'spa'` o `appType: 'mpa'` si es posible. Para el servidor de vista previa, asegúrese de que solo se sirvan los archivos HTML dentro del directorio de salida.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58752 is a LOW severity vulnerability in Vite versions before 7.1.5 that allows unauthorized HTML files to be served via the development server if it's exposed to the network, potentially leading to information disclosure.
You are affected if you are using Vite versions prior to 7.1.5 and your development server is accessible from the network (e.g., using --host or server.host configured to a public IP).
Upgrade to Vite version 7.1.5 or later. If immediate upgrade isn't possible, restrict network access to the development server.
As of the current date, there are no known active exploits for CVE-2025-58752, but it's still important to mitigate the vulnerability.
Refer to the Vite project's official security advisories and release notes on their GitHub repository: https://github.com/vitejs/vite
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.