Low severityNVD Advisory· Published Sep 8, 2025· Updated Sep 9, 2025
Vite middleware may serve files starting with the same name with the public directory
CVE-2025-58751
Description
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vitenpm | >= 7.1.0, < 7.1.5 | 7.1.5 |
vitenpm | >= 7.0.0, < 7.0.7 | 7.0.7 |
vitenpm | >= 6.0.0, < 6.3.6 | 6.3.6 |
vitenpm | < 5.4.20 | 5.4.20 |
Affected products
21- osv-coords20 versionspkg:apk/chainguard/langfusepkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-compatpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/langfuse-workerpkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/chainguard/vitess-23-binariespkg:apk/chainguard/vitess-23-compatpkg:apk/wolfi/langfusepkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/langfuse-compatpkg:apk/wolfi/langfuse-workerpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:apk/wolfi/vitess-23-binariespkg:apk/wolfi/vitess-23-compatpkg:npm/vite
< 3.110.0-r0+ 19 more
- (no CPE)range: < 3.110.0-r0
- (no CPE)range: < 2.95.12-r26
- (no CPE)range: < 3.179.1-r3
- (no CPE)range: < 3.110.0-r0
- (no CPE)range: < 2.95.12-r28
- (no CPE)range: < 3.179.1-r2
- (no CPE)range: < 3.110.0-r0
- (no CPE)range: < 22.0.2-r0
- (no CPE)range: < 23.0.0-r2
- (no CPE)range: < 23.0.0-r2
- (no CPE)range: < 23.0.0-r2
- (no CPE)range: < 3.110.0-r0
- (no CPE)range: < 3.179.1-r3
- (no CPE)range: < 3.110.0-r0
- (no CPE)range: < 3.110.0-r0
- (no CPE)range: < 22.0.2-r0
- (no CPE)range: < 23.0.0-r2
- (no CPE)range: < 23.0.0-r2
- (no CPE)range: < 23.0.0-r2
- (no CPE)range: >= 7.1.0, < 7.1.5
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-g4jq-h2w9-997cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58751ghsaADVISORY
- github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997ebghsax_refsource_MISCWEB
- github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600dghsax_refsource_MISCWEB
- github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069ghsax_refsource_MISCWEB
- github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaecghsax_refsource_MISCWEB
- github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0ghsax_refsource_MISCWEB
- github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.