Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-gefx-xng3-k3f4
Vulnerability ID VCID-gefx-xng3-k3f4
Aliases CVE-2025-58751
GHSA-g4jq-h2w9-997c
Summary Vite middleware may serve files starting with the same name with the public directory Files starting with the same name with the public directory were served bypassing the `server.fs` settings.
Status Published
Exploitability 0.5
Weighted Severity 3.3
Risk 1.6
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-284 Improper Access Control
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58751.json
epss 0.01434 https://api.first.org/data/v1/epss?cve=CVE-2025-58751
epss 0.01434 https://api.first.org/data/v1/epss?cve=CVE-2025-58751
epss 0.01434 https://api.first.org/data/v1/epss?cve=CVE-2025-58751
epss 0.01434 https://api.first.org/data/v1/epss?cve=CVE-2025-58751
cvssv4 2.3 https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
generic_textual LOW https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
ssvc Track https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
cvssv4 2.3 https://github.com/vitejs/vite
generic_textual LOW https://github.com/vitejs/vite
cvssv4 2.3 https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
generic_textual LOW https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
ssvc Track https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
cvssv4 2.3 https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
generic_textual LOW https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
ssvc Track https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
cvssv4 2.3 https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
generic_textual LOW https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
ssvc Track https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
cvssv4 2.3 https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
generic_textual LOW https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
ssvc Track https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
cvssv4 2.3 https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
generic_textual LOW https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
ssvc Track https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
cvssv4 2.3 https://nvd.nist.gov/vuln/detail/CVE-2025-58751
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2025-58751
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58751.json
https://api.first.org/data/v1/epss?cve=CVE-2025-58751
https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
https://github.com/vitejs/vite
https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
2393970 https://bugzilla.redhat.com/show_bug.cgi?id=2393970
CVE-2025-58751 https://nvd.nist.gov/vuln/detail/CVE-2025-58751
GHSA-g4jq-h2w9-997c https://github.com/advisories/GHSA-g4jq-h2w9-997c
GHSA-g4jq-h2w9-997c https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58751.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-58751
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.81054
EPSS Score 0.01434
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:25:01.075272+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vite/CVE-2025-58751.yml 38.6.0