CVE-2025-58751 – This vulnerability in Vite allows attackers to ... (How to Fix)

Q: What is the severity of CVE-2025-58751?

CVE-2025-58751 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Vite allows attackers to bypass server.fs restrictions and access files outside the public directory when specific conditions are met. Only applications that expose the Vite dev server to the network, use the public directory feature, and have symlinks in the public directory are affected. The issue enables unauthorized file access but requires specific configuration.

📋 TL;DR

This vulnerability in Vite allows attackers to bypass server.fs restrictions and access files outside the public directory when specific conditions are met. Only applications that expose the Vite dev server to the network, use the public directory feature, and have symlinks in the public directory are affected. The issue enables unauthorized file access but requires specific configuration.

💻 Affected Systems

Products:

Vite

Versions: All versions prior to 7.1.5, 7.0.7, 6.3.6, and 5.4.20

Operating Systems: All operating systems running Vite

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when: 1) Vite dev server exposed to network (using --host or server.host), 2) Using public directory feature (enabled by default), 3) Symlink exists in public directory

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive files outside the public directory, potentially exposing source code, configuration files, or credentials stored in the project structure.

🟠

Likely Case

Limited file disclosure of project files adjacent to the public directory, potentially revealing development artifacts or configuration details.

🟢

If Mitigated

No impact if dev server is not exposed to network or if proper access controls restrict external connections.

🌐 Internet-Facing: MEDIUM - Requires specific configuration (exposed dev server with symlinks) but could lead to information disclosure if exploited.

🏢 Internal Only: LOW - Internal dev servers typically have limited exposure and are less likely to be targeted by external actors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of the target's file structure and specific conditions to be met. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.5, 7.0.7, 6.3.6, or 5.4.20 depending on your major version

Vendor Advisory: https://github.com/vitejs/vite/security/advisories

Restart Required: Yes

Instructions:

1. Check current Vite version with 'npm list vite' or 'yarn list vite'. 2. Update to patched version: 'npm update vite@latest' or 'yarn upgrade vite@latest'. 3. Restart the Vite development server.

🔧 Temporary Workarounds

Disable network exposure

all

Do not expose Vite dev server to network by avoiding --host flag and server.host configuration

Remove '--host' from dev script
Set server.host: false in vite.config.js

Remove symlinks from public directory

all

Eliminate symlinks in the public directory that could be exploited

find public/ -type l -delete
Remove any symlink references in public directory

🧯 If You Can't Patch

Ensure Vite dev server is not exposed to external networks (use localhost only)
Audit and remove all symlinks from the public directory

🔍 How to Verify

Check if Vulnerable:

Check if using vulnerable Vite version AND dev server is exposed to network AND public directory contains symlinks

Check Version:

npm list vite | grep vite or yarn list vite | grep vite

Verify Fix Applied:

Confirm Vite version is 7.1.5+, 7.0.7+, 6.3.6+, or 5.4.20+ and test file access restrictions

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from external IPs to Vite dev server
Requests for files outside expected public directory paths

Network Indicators:

External connections to Vite dev server port (typically 5173) with file path traversal patterns

SIEM Query:

source="vite-logs" AND (dst_port=5173 OR dst_port=3000) AND (uri CONTAINS "../" OR uri CONTAINS "symlink")

📊 Metadata

CVE ID: CVE-2025-58751

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

EPSS Score: 1.66% exploit probability (81.7th percentile)

Published: September 8, 2025

Last Updated: September 17, 2025

🔗 References

https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb Patch
https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d Patch
https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069 Patch
https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec Patch
https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0 Patch
https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c Exploit,Third Party Advisory
https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58751, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Vite by Vitejs

Vite by Vitejs

Vite by Vitejs

Vite by Vitejs

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable network exposure

Remove symlinks from public directory

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities