CVE-2025-58751: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in vitejs vite
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
AI Analysis
Technical Summary
CVE-2025-58751 is a path traversal vulnerability affecting the Vite frontend tooling framework for JavaScript. This vulnerability exists in versions prior to 5.4.20, 6.3.6, 7.0.7, and 7.1.5. The root cause is that files starting with the same name as those in the public directory can be served by the Vite dev server while bypassing the server.fs configuration settings, which are intended to restrict file system access. This occurs only if the application explicitly exposes the Vite development server to the network (via the --host flag or server.host configuration), uses the public directory feature (enabled by default), and has a symbolic link within the public directory. Exploiting this vulnerability could allow an attacker to access files outside the intended restricted directory, potentially exposing sensitive information. However, exploitation requires that the Vite dev server be exposed to the network, and user interaction is needed to trigger the file access. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-200 (Exposure of Sensitive Information), and CWE-284 (Improper Access Control). The CVSS v4.0 base score is 2.3, indicating low severity, reflecting the limited impact and exploitation conditions. No known exploits are currently reported in the wild. The issue is fixed in versions 5.4.20, 6.3.6, 7.0.7, and 7.1.5 of Vite.
Potential Impact
For European organizations, the impact of this vulnerability is generally low but context-dependent. Organizations using Vite as part of their frontend development environment and exposing the Vite dev server to external networks could inadvertently allow attackers to access files outside the intended public directory, potentially leaking sensitive development or configuration files. This could lead to information disclosure that might aid further attacks or intellectual property theft. However, since Vite is primarily a development tool and this vulnerability requires the dev server to be network-exposed (which is not a common production setup), the risk to production environments is minimal. The main risk lies in development or staging environments that are improperly exposed. European organizations with strict data protection regulations (e.g., GDPR) should be cautious about any unintended data exposure. Additionally, organizations relying on Vite for rapid frontend development in collaborative or cloud environments might face increased risk if network exposure is misconfigured.
Mitigation Recommendations
1. Upgrade Vite to the fixed versions: 5.4.20, 6.3.6, 7.0.7, or 7.1.5 depending on the version series in use. 2. Avoid exposing the Vite development server to external networks unless absolutely necessary. Use localhost bindings or VPNs to restrict access. 3. Disable or carefully manage the public directory feature if symbolic links are used within it. 4. Implement network-level access controls (firewalls, IP whitelisting) to restrict access to development servers. 5. Regularly audit development and staging environments for unintended exposure of dev servers. 6. Educate development teams on secure configuration practices for development tools. 7. Monitor logs for unusual file access patterns that could indicate exploitation attempts. 8. If symbolic links in the public directory are required, ensure they do not point to sensitive directories or files.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2025-58751: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in vitejs vite
Description
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-58751 is a path traversal vulnerability affecting the Vite frontend tooling framework for JavaScript. This vulnerability exists in versions prior to 5.4.20, 6.3.6, 7.0.7, and 7.1.5. The root cause is that files starting with the same name as those in the public directory can be served by the Vite dev server while bypassing the server.fs configuration settings, which are intended to restrict file system access. This occurs only if the application explicitly exposes the Vite development server to the network (via the --host flag or server.host configuration), uses the public directory feature (enabled by default), and has a symbolic link within the public directory. Exploiting this vulnerability could allow an attacker to access files outside the intended restricted directory, potentially exposing sensitive information. However, exploitation requires that the Vite dev server be exposed to the network, and user interaction is needed to trigger the file access. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), CWE-200 (Exposure of Sensitive Information), and CWE-284 (Improper Access Control). The CVSS v4.0 base score is 2.3, indicating low severity, reflecting the limited impact and exploitation conditions. No known exploits are currently reported in the wild. The issue is fixed in versions 5.4.20, 6.3.6, 7.0.7, and 7.1.5 of Vite.
Potential Impact
For European organizations, the impact of this vulnerability is generally low but context-dependent. Organizations using Vite as part of their frontend development environment and exposing the Vite dev server to external networks could inadvertently allow attackers to access files outside the intended public directory, potentially leaking sensitive development or configuration files. This could lead to information disclosure that might aid further attacks or intellectual property theft. However, since Vite is primarily a development tool and this vulnerability requires the dev server to be network-exposed (which is not a common production setup), the risk to production environments is minimal. The main risk lies in development or staging environments that are improperly exposed. European organizations with strict data protection regulations (e.g., GDPR) should be cautious about any unintended data exposure. Additionally, organizations relying on Vite for rapid frontend development in collaborative or cloud environments might face increased risk if network exposure is misconfigured.
Mitigation Recommendations
1. Upgrade Vite to the fixed versions: 5.4.20, 6.3.6, 7.0.7, or 7.1.5 depending on the version series in use. 2. Avoid exposing the Vite development server to external networks unless absolutely necessary. Use localhost bindings or VPNs to restrict access. 3. Disable or carefully manage the public directory feature if symbolic links are used within it. 4. Implement network-level access controls (firewalls, IP whitelisting) to restrict access to development servers. 5. Regularly audit development and staging environments for unintended exposure of dev servers. 6. Educate development teams on secure configuration practices for development tools. 7. Monitor logs for unusual file access patterns that could indicate exploitation attempts. 8. If symbolic links in the public directory are required, ensure they do not point to sensitive directories or files.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-04T19:18:09.499Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68bf6046d5a2966cfc83ed7b
Added to database: 9/8/2025, 11:01:26 PM
Last enriched: 9/16/2025, 1:08:25 AM
Last updated: 10/30/2025, 2:17:38 PM
Views: 122
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-43941: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Dell Unity
HighCVE-2025-10348: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Eveo URVE Smart Office
MediumCVE-2025-63608: n/a
HighCVE-2025-10317: CWE-352 Cross-Site Request Forgery (CSRF) in OpenSolution Quick.Cart
MediumCVE-2025-39663: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Checkmk GmbH Checkmk
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.