CVE-2025-58751 is a path traversal vulnerability identified in the Vite frontend tooling framework for JavaScript. This vulnerability exists in versions prior to 5.4.20, 6.3.6, 7.0.7, and 7.1.5. The core issue arises because files that start with the same name as those in the public directory can be served by the Vite development server, bypassing the intended server filesystem restrictions configured via the `server.fs` settings. This flaw allows an attacker to potentially access files outside the intended public directory, exploiting improper limitation of pathname to a restricted directory (CWE-22). The vulnerability specifically affects applications that expose the Vite dev server to the network (using the `--host` option or `server.host` configuration), utilize the public directory feature (which is enabled by default), and have symbolic links (symlinks) within the public directory. The presence of symlinks combined with the public directory feature and network exposure creates the conditions for this path traversal attack. The vulnerability does not require authentication but does require user interaction, such as visiting a maliciously crafted URL to trigger the file access. The CVSS 4.0 base score is 2.3, indicating a low severity level, primarily because the impact on confidentiality is limited (low impact), there is no impact on integrity or availability, and exploitation requires user interaction. No known exploits are reported in the wild as of the publication date. The issue is fixed in versions 5.4.20, 6.3.6, 7.0.7, and 7.1.5 of Vite.

For European organizations, the impact of this vulnerability is generally low but context-dependent. Organizations using Vite as part of their frontend development stack and exposing the Vite dev server to external networks could inadvertently allow attackers to access sensitive files outside the intended public directory. This could lead to information disclosure, such as leaking configuration files, source code, or other sensitive assets that should remain private. While the vulnerability does not directly enable code execution or system compromise, the exposure of sensitive information could facilitate further attacks or intellectual property theft. The risk is higher in development or staging environments exposed to the internet, which is a common practice in some agile or DevOps workflows. Production environments typically do not expose the Vite dev server, reducing risk. However, organizations with less mature security practices or those that expose development servers externally are more vulnerable. Given the low CVSS score and lack of known exploits, the immediate threat is limited, but the vulnerability should be addressed promptly to prevent potential information leakage.

1. Upgrade Vite to the fixed versions: 5.4.20, 6.3.6, 7.0.7, or 7.1.5 depending on the version series in use. This is the most effective mitigation. 2. Avoid exposing the Vite dev server to external networks. Use the default localhost binding unless absolutely necessary. 3. Disable or carefully manage the use of the public directory feature if external exposure is required. 4. Remove or avoid using symbolic links within the public directory to prevent path traversal exploitation. 5. Implement network-level access controls (firewalls, VPNs) to restrict access to development servers. 6. Monitor and audit access logs for unusual file access patterns that could indicate exploitation attempts. 7. Educate development teams about the risks of exposing development tools and servers to public networks. 8. Use containerization or isolated environments for development servers to limit the blast radius if compromised.