CVE-2025-58752 is a relative path traversal vulnerability affecting the Vite frontend tooling framework for JavaScript. Vite is widely used for building modern web applications, providing a development server and preview server to serve application files during development and testing. Prior to fixed versions 5.4.20, 6.3.6, 7.0.7, and 7.1.5, the vulnerability allowed any HTML files on the host machine to be served by the Vite dev or preview server regardless of the configured server.fs file system restrictions. This means that if an application exposed the Vite dev server to the network (via the --host or server.host option) and used the default appType settings ('spa' or 'mpa'), an attacker could craft requests to access arbitrary HTML files outside the intended directory scope. The root cause is improper validation of file paths, enabling directory traversal (CWE-23) and unauthorized file disclosure (CWE-200). The vulnerability does not require authentication but does require user interaction (sending crafted requests). The CVSS 4.0 score is 2.3 (low severity), reflecting limited impact since only HTML files can be accessed, and no direct code execution or system compromise is indicated. However, unauthorized disclosure of HTML files could leak sensitive information or internal application details. The vulnerability affects multiple version ranges of Vite before the patched releases. No known exploits are reported in the wild as of publication. The issue is fixed by upgrading to the specified patched versions.

For European organizations using Vite in their development environments, this vulnerability could lead to unauthorized disclosure of HTML files on development or preview servers exposed to the network. While the impact on production environments is limited because Vite is primarily a development tool, organizations that expose the Vite dev or preview server externally risk leaking internal application files or sensitive HTML content. This could aid attackers in reconnaissance or facilitate further attacks by revealing application structure or sensitive data embedded in HTML files. The impact on confidentiality is moderate but does not affect integrity or availability. Since exploitation requires the Vite server to be network-exposed, organizations with strict network segmentation and access controls are less at risk. However, development teams that use Vite with default configurations and expose the dev server externally, especially in cloud or hybrid environments, should be cautious. The vulnerability does not allow remote code execution or system compromise directly but could be leveraged as part of a broader attack chain.

European organizations should immediately upgrade Vite to versions 5.4.20, 6.3.6, 7.0.7, or 7.1.5 or later to remediate this vulnerability. Additionally, organizations should audit their development and preview server configurations to ensure that the Vite dev server is not exposed to untrusted networks. Avoid using the --host or server.host options to expose the server externally unless necessary and ensure proper network segmentation and firewall rules restrict access. Review and tighten server.fs settings to explicitly restrict file system access to only required directories. Implement monitoring and logging of access to development servers to detect any anomalous requests that may indicate exploitation attempts. Educate development teams about the risks of exposing development tooling servers externally and enforce secure default configurations. For environments where external exposure is unavoidable, consider placing the Vite server behind authenticated reverse proxies or VPNs to limit access to authorized users only.