CVE-2025-58752

low-risk
Published 2025-09-08

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Vitejs

References (6)

Patch https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f
Patch https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e
Patch https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea
Patch https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6
Exploit https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
Exploit https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal