Vite’s `server.fs` settings were not applied to HTML files

2.3 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.

Basic Information

ID CVE-2025-58752

Source GitHub_M

Published Sep 8, 2025 at 22:56

Affected Product

Vendor vitejs

Product vite

Version < 5.4.20

Affected Versions vitejs vite < 5.4.20
vitejs vite >= 6.0.0, < 6.3.6
vitejs vite >= 7.0.0, < 7.0.7
vitejs vite >= 7.1.0, < 7.1.5

CWE Classification

CWE-23 CWE-200 CWE-284

References

{
    "lastseen": "",
    "description": "Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.",
    "published": "2025-09-08T22:56:58.039Z",
    "modified": "2025-09-08T22:56:58.039Z",
    "type": "cve",
    "title": "Vite's `server.fs` settings were not applied to HTML files",
    "source": "GitHub_M",
    "references": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3\nhttps://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f\nhttps://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e\nhttps://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea\nhttps://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
    "id": "CVE-2025-58752",
    "bulletinFamily": "",
    "cwe": [
        "CWE-23",
        "CWE-200",
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "vitejs vite < 5.4.20\nvitejs vite >= 6.0.0, < 6.3.6\nvitejs vite >= 7.0.0, < 7.0.7\nvitejs vite >= 7.1.0, < 7.1.5",
    "sourceHref": "",
    "cvss": {
        "score": 2.3,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vite",
    "version": "< 5.4.20",
    "vendor": "vitejs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Vite’s `server.fs` settings were not applied to HTML files_CVE-2025-58752