CVE-2025-58752 is a security vulnerability classified as a relative path traversal issue (CWE-23) affecting the Vite frontend tooling framework for JavaScript. Vite is widely used for modern web development to bundle and serve frontend assets efficiently. The vulnerability exists in versions prior to 5.4.20, 6.3.6, 7.0.7, and 7.1.5. Specifically, when the Vite development server is explicitly exposed to the network using the --host or server.host configuration option and configured with appType set to 'spa' (single-page application, which is the default) or 'mpa' (multi-page application), the server improperly serves HTML files located anywhere on the host machine, regardless of the server.fs configuration settings intended to restrict file system access. This flaw also affects the preview server, which is used to serve built assets for testing before deployment, allowing it to serve HTML files outside the intended output directory. The root cause is insufficient validation of file paths, enabling an attacker to request arbitrary HTML files on the server's file system. Although the CVSS score is low (2.3), reflecting limited impact and exploitation complexity, the vulnerability can lead to unintended information disclosure (CWE-200) and unauthorized access control bypass (CWE-284) by exposing sensitive HTML files that may contain configuration details, internal documentation, or other sensitive data. The vulnerability does not require authentication but does require user interaction (e.g., an attacker must send crafted requests to the exposed Vite server). The issue is fixed in versions 5.4.20, 6.3.6, 7.0.7, and 7.1.5. No known exploits are currently reported in the wild. This vulnerability primarily affects development and preview environments where Vite servers are exposed to external networks without proper access restrictions.

For European organizations, the impact of CVE-2025-58752 is primarily related to information disclosure risks during the development and testing phases of web applications using Vite. If development servers or preview servers are exposed to untrusted networks, attackers could retrieve arbitrary HTML files from the host machine, potentially leaking sensitive internal information such as API keys, environment variables, or proprietary code snippets embedded in HTML files. This could facilitate further attacks such as social engineering, reconnaissance, or exploitation of other vulnerabilities. While the vulnerability does not directly allow code execution or system compromise, the exposure of sensitive data could undermine confidentiality and trust. Organizations with remote or distributed development teams, or those using cloud-based development environments, may be more susceptible if network exposure controls are lax. The low CVSS score indicates a limited risk in typical production environments where Vite servers are not exposed externally. However, in regulated industries or organizations with strict data privacy requirements (e.g., GDPR compliance), even limited data leaks during development could have compliance implications. Therefore, European organizations should treat this vulnerability seriously in their development lifecycle security practices.

1. Upgrade Vite to the fixed versions: 5.4.20, 6.3.6, 7.0.7, or 7.1.5 as soon as possible to eliminate the vulnerability. 2. Avoid exposing the Vite development or preview servers to external or untrusted networks. Use localhost or VPNs to restrict access. 3. Explicitly configure the server.fs option to restrict file system access to only necessary directories, even though the vulnerability bypasses this in affected versions, it is a good defense-in-depth measure. 4. Use network-level controls such as firewalls or access control lists to limit access to development servers. 5. Implement strict environment segregation: development and preview environments should be isolated from production and sensitive data stores. 6. Monitor and audit network traffic to detect unauthorized access attempts to development servers. 7. Educate developers about the risks of exposing development tools and encourage secure configuration practices. 8. If exposure is necessary, consider adding authentication or IP whitelisting to the Vite server to reduce unauthorized access risk. 9. Regularly review and update development tooling dependencies to incorporate security patches promptly.