HTML File Exposure in Vite Framework by Vitejs
CVE-2025-58752

2.3LOW

Key Information:

Vendor: Vitejs
Status: Vite
Vendor: CVE Published:; 8 September 2025

🔔 Create Vitejs Vulnerability Alert

What is CVE-2025-58752?

The Vite framework for frontend tooling possesses a vulnerability that allows the serving of any HTML files present on the machine, contrary to specified server file system settings. This issue arises when the Vite dev server is exposed to the network through configuration options. Notably, it also impacts the preview server, enabling the exposure of HTML files outside the intended output directory. This flaw has been addressed in versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20.

Affected Version(s)

vite < 5.4.20 < 5.4.20

vite >= 6.0.0, < 6.3.6 < 6.0.0, 6.3.6

vite >= 7.0.0, < 7.0.7 < 7.0.0, 7.0.7

References

https://github.com/vitejs/vite/security/advisories/GHSA-j...

x_refsource_CONFIRM

https://github.com/vitejs/vite/commit/0ab19ea9fcb66f54432...

x_refsource_MISC

https://github.com/vitejs/vite/commit/14015d794f69accba68...

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2025
Vulnerability Reserved
Sep 4, 2025

.

CVE-2025-58752 : HTML File Exposure in Vite Framework by Vitejs