CVE-2025-58752
📋 TL;DR
This vulnerability in Vite allows unauthorized access to HTML files on the server regardless of filesystem restrictions when the dev server is exposed to the network. It affects applications using Vite's development or preview servers with default or MPA appType configurations. Only systems where the Vite server is explicitly made network-accessible are vulnerable.
💻 Affected Systems
- Vite
📦 What is this software?
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
Vite by Vitejs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive HTML files containing credentials, configuration data, or proprietary information from anywhere on the server filesystem.
Likely Case
Unauthorized access to HTML files in directories outside the intended project scope, potentially exposing development files, configuration templates, or other web content.
If Mitigated
If server.fs restrictions are properly configured and network exposure is limited, impact is minimal to none.
🎯 Exploit Status
Exploitation requires network access to the exposed Vite server and knowledge of file paths on the target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.5, 7.0.7, 6.3.6, or 5.4.20
Vendor Advisory: https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
Restart Required: Yes
Instructions:
1. Update Vite to patched version: npm update vite@latest or specify exact version. 2. Restart development/preview servers. 3. Verify server.fs restrictions are properly configured.
🔧 Temporary Workarounds
Restrict Network Exposure
allDo not expose Vite dev server to network using --host or server.host configuration
Remove --host flag from dev scripts
Set server.host: false in vite.config.js
Configure Filesystem Restrictions
allExplicitly configure server.fs.allow to restrict accessible directories
Add server.fs.allow: ['.'] to vite.config.js to restrict to current directory
🧯 If You Can't Patch
- Do not expose Vite development or preview servers to untrusted networks
- Implement network-level restrictions (firewall rules) to limit access to Vite server ports
🔍 How to Verify
Check if Vulnerable:
Check Vite version and configuration: 1. Run 'npm list vite' to check version. 2. Review vite.config.js for server.host settings. 3. Check if dev server is started with --host flag.Check Version:
npm list vite | grep viteVerify Fix Applied:
1. Confirm Vite version is 7.1.5, 7.0.7, 6.3.6, or 5.4.20 or higher. 2. Test that HTML files outside project directory are no longer accessible via the dev server.📡 Detection & Monitoring
Log Indicators:
- Unusual requests for HTML files outside project directory
- Access to paths containing '..' or absolute paths
Network Indicators:
- HTTP requests to Vite dev server ports (typically 5173, 3000) from unexpected sources
- Requests for HTML files with unusual paths
SIEM Query:
source="vite-server" AND (path="*../*" OR path="/absolute/path/*") AND response_code=200🔗 References
- https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f
- https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e
- https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea
- https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6
- https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
- https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
