CVE-2025-58751
- Source
- https://cve.org/CVERecord?id=CVE-2025-58751
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-58751.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-58751
- Aliases
- Downstream
- Related
- Published
- 2025-09-08T22:52:45.667Z
- Modified
- 2026-02-24T01:26:06.110586Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Vite middleware may serve files starting with the same name with the public directory
- Details
-
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the
server.fssettings. Only apps that explicitly expose the Vite dev server to the network (using --host orserver.hostconfig option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue. - Database specific
{ "cwe_ids": [ "CWE-200", "CWE-22", "CWE-284" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58751.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58751.json
- https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
- https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
- https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
- https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
- https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
- https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
- https://nvd.nist.gov/vuln/detail/CVE-2025-58751
Affected packages
Git / github.com/lukeed/sirv
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lukeed/sirv
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.19
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v2.*
v2.0.0
v2.0.2
v2.0.3
v2.0.4
v3.*
v3.0.0
v3.0.1
Git / github.com/vitejs/vite
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vitejs/vite
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Affected versions
create-vite@6.*
create-vite@6.0.0
create-vite@6.0.1
create-vite@6.1.0
create-vite@6.1.1
create-vite@6.2.0
create-vite@6.2.1
create-vite@6.3.0
create-vite@6.3.1
create-vite@6.4.0
create-vite@6.4.1
create-vite@6.5.0
create-vite@7.*
create-vite@7.0.0
create-vite@7.0.1
create-vite@7.0.2
create-vite@7.0.3
create-vite@7.1.0
create-vite@7.1.1
plugin-legacy@6.*
plugin-legacy@6.0.0
plugin-legacy@6.0.1
plugin-legacy@6.0.2
plugin-legacy@6.1.0
plugin-legacy@6.1.1
plugin-legacy@7.*
plugin-legacy@7.0.0
plugin-legacy@7.0.0-beta.0
plugin-legacy@7.0.0-beta.1
plugin-legacy@7.0.1
plugin-legacy@7.1.0
plugin-legacy@7.2.0
plugin-legacy@7.2.1
v6.*
v6.0.0
v6.0.1
v6.0.10
v6.0.11
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.0
v6.1.0-beta.0
v6.1.0-beta.1
v6.1.0-beta.2
v6.1.1
v6.2.0
v6.2.0-beta.0
v6.2.0-beta.1
v6.2.1
v6.2.2
v6.3.0
v6.3.0-beta.0
v6.3.0-beta.1
v6.3.0-beta.2
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v7.*
v7.0.0
v7.0.0-beta.0
v7.0.0-beta.1
v7.0.0-beta.2
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.1.0
v7.1.0-beta.0
v7.1.0-beta.1
v7.1.1
v7.1.2
v7.1.3
v7.1.4