5.4.21
6.0.1
7.0.1
7.1.1
7.1.5
CVE-2025-58752 describes a vulnerability in Vite where any HTML files on the system could be served, bypassing the intended server.fs settings. This allows unauthorized access to sensitive files. The vulnerability impacts Vite versions before 7.1.5 and affects applications explicitly exposing the Vite dev server to the network with appType: 'spa' or appType: 'mpa'. A fix is available in version 7.1.5.
The primary impact of CVE-2025-58752 is unauthorized information disclosure. An attacker who can access the exposed Vite development server could potentially retrieve arbitrary HTML files from the system. This could include sensitive configuration files, internal documentation, or even parts of the application's codebase. The vulnerability is particularly concerning for development environments where sensitive data might be present. The preview server is also affected, allowing access to HTML files outside the intended output directory. This vulnerability is not a remote code execution (RCE) issue; it's a file disclosure vulnerability.
CVE-2025-58752 has been publicly disclosed. As of the current date, there are no known public proof-of-concept exploits. The vulnerability's CVSS score is LOW (2.5), indicating a relatively low probability of exploitation. It was published on 2025-09-09. It is not currently listed on the CISA KEV catalog.
Development teams using Vite in environments where the development server is inadvertently exposed to the network are at risk. Shared hosting environments where developers have access to the server's file system are also particularly vulnerable. Organizations using older Vite versions without proper network segmentation should prioritize upgrading.
• nodejs: Monitor for Vite development servers exposed to the network. Use netstat -tulnp or similar tools to identify processes listening on public interfaces.
netstat -tulnp | grep :3000 # Example: check for Vite on port 3000• nodejs: Check for unusual file access patterns within the Vite project directory. Examine application logs for unexpected requests for HTML files.
• generic web: If you suspect compromise, check the Vite configuration file (vite.config.js) for unintended network exposure settings (e.g., server.host set to 0.0.0.0).
disclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
The primary mitigation for CVE-2025-58752 is to upgrade to Vite version 7.1.5 or later. If upgrading is not immediately feasible, restrict access to the Vite development server by ensuring it is not exposed to the network (remove --host flag or set server.host to localhost). Consider using a reverse proxy or firewall to further restrict access. Regularly review and update your Vite configuration to ensure it adheres to security best practices. After upgrading, confirm the fix by attempting to access arbitrary HTML files through the development server; they should be denied.
升级 Vite 到 7.1.5 或更高版本。如果无法立即升级,请避免将 Vite 开发服务器暴露到网络上(不要使用 `--host` 或 `server.host` 配置选项),并确保如果可能,不要使用 `appType: 'spa'` 或 `appType: 'mpa'`。对于预览服务器,请确保仅提供输出目录中的 HTML 文件。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-58752 is a LOW severity vulnerability in Vite versions before 7.1.5 that allows unauthorized HTML files to be served via the development server if it's exposed to the network, potentially leading to information disclosure.
You are affected if you are using Vite versions prior to 7.1.5 and your development server is accessible from the network (e.g., using --host or server.host configured to a public IP).
Upgrade to Vite version 7.1.5 or later. If immediate upgrade isn't possible, restrict network access to the development server.
As of the current date, there are no known active exploits for CVE-2025-58752, but it's still important to mitigate the vulnerability.
Refer to the Vite project's official security advisories and release notes on their GitHub repository: https://github.com/vitejs/vite
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。