Platform
nodejs
Component
vite
Opgelost in
5.4.21
6.0.1
7.0.1
7.1.1
7.1.5
CVE-2025-58752 describes a vulnerability in Vite where any HTML files on the system could be served, bypassing the intended server.fs settings. This allows unauthorized access to sensitive files. The vulnerability impacts Vite versions before 7.1.5 and affects applications explicitly exposing the Vite dev server to the network with appType: 'spa' or appType: 'mpa'. A fix is available in version 7.1.5.
The primary impact of CVE-2025-58752 is unauthorized information disclosure. An attacker who can access the exposed Vite development server could potentially retrieve arbitrary HTML files from the system. This could include sensitive configuration files, internal documentation, or even parts of the application's codebase. The vulnerability is particularly concerning for development environments where sensitive data might be present. The preview server is also affected, allowing access to HTML files outside the intended output directory. This vulnerability is not a remote code execution (RCE) issue; it's a file disclosure vulnerability.
CVE-2025-58752 has been publicly disclosed. As of the current date, there are no known public proof-of-concept exploits. The vulnerability's CVSS score is LOW (2.5), indicating a relatively low probability of exploitation. It was published on 2025-09-09. It is not currently listed on the CISA KEV catalog.
Development teams using Vite in environments where the development server is inadvertently exposed to the network are at risk. Shared hosting environments where developers have access to the server's file system are also particularly vulnerable. Organizations using older Vite versions without proper network segmentation should prioritize upgrading.
• nodejs: Monitor for Vite development servers exposed to the network. Use netstat -tulnp or similar tools to identify processes listening on public interfaces.
netstat -tulnp | grep :3000 # Example: check for Vite on port 3000• nodejs: Check for unusual file access patterns within the Vite project directory. Examine application logs for unexpected requests for HTML files.
• generic web: If you suspect compromise, check the Vite configuration file (vite.config.js) for unintended network exposure settings (e.g., server.host set to 0.0.0.0).
disclosure
Exploit Status
EPSS
0.02% (4% percentiel)
CISA SSVC
The primary mitigation for CVE-2025-58752 is to upgrade to Vite version 7.1.5 or later. If upgrading is not immediately feasible, restrict access to the Vite development server by ensuring it is not exposed to the network (remove --host flag or set server.host to localhost). Consider using a reverse proxy or firewall to further restrict access. Regularly review and update your Vite configuration to ensure it adheres to security best practices. After upgrading, confirm the fix by attempting to access arbitrary HTML files through the development server; they should be denied.
Werk Vite bij naar versie 7.1.5 of hoger. Als u niet onmiddellijk kunt updaten, voorkom dan dat u de Vite dev server aan het netwerk blootstelt (gebruik geen `--host` of de `server.host` configuratie optie) en zorg ervoor dat u indien mogelijk niet `appType: 'spa'` of `appType: 'mpa'` gebruikt. Voor de preview server, zorg ervoor dat alleen HTML-bestanden binnen de uitvoermap worden geserveerd.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-58752 is a LOW severity vulnerability in Vite versions before 7.1.5 that allows unauthorized HTML files to be served via the development server if it's exposed to the network, potentially leading to information disclosure.
You are affected if you are using Vite versions prior to 7.1.5 and your development server is accessible from the network (e.g., using --host or server.host configured to a public IP).
Upgrade to Vite version 7.1.5 or later. If immediate upgrade isn't possible, restrict network access to the development server.
As of the current date, there are no known active exploits for CVE-2025-58752, but it's still important to mitigate the vulnerability.
Refer to the Vite project's official security advisories and release notes on their GitHub repository: https://github.com/vitejs/vite
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.