Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-h3c2-mbd1-zua6
Vulnerability ID VCID-h3c2-mbd1-zua6
Aliases CVE-2025-58751
GHSA-g4jq-h2w9-997c
Summary Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Status Published
Exploitability 0.5
Weighted Severity 3.3
Risk 1.6
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-284 Improper Access Control
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58751.json
epss 0.01434 https://api.first.org/data/v1/epss?cve=CVE-2025-58751
epss 0.01434 https://api.first.org/data/v1/epss?cve=CVE-2025-58751
epss 0.01434 https://api.first.org/data/v1/epss?cve=CVE-2025-58751
epss 0.01434 https://api.first.org/data/v1/epss?cve=CVE-2025-58751
cvssv3.1_qr LOW https://github.com/advisories/GHSA-g4jq-h2w9-997c
cvssv4 2.3 https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
generic_textual LOW https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
ssvc Track https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
cvssv4 2.3 https://github.com/vitejs/vite
generic_textual LOW https://github.com/vitejs/vite
cvssv4 2.3 https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
generic_textual LOW https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
ssvc Track https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
cvssv4 2.3 https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
generic_textual LOW https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
ssvc Track https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
cvssv4 2.3 https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
generic_textual LOW https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
ssvc Track https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
cvssv4 2.3 https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
generic_textual LOW https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
ssvc Track https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
cvssv3.1_qr LOW https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
cvssv4 2.3 https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
generic_textual LOW https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
ssvc Track https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
cvssv4 2.3 https://nvd.nist.gov/vuln/detail/CVE-2025-58751
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2025-58751
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58751.json
https://api.first.org/data/v1/epss?cve=CVE-2025-58751
https://github.com/vitejs/vite
https://nvd.nist.gov/vuln/detail/CVE-2025-58751
09f2b52e8d5907f26602653caf41b3a56692600d https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
2393970 https://bugzilla.redhat.com/show_bug.cgi?id=2393970
4f1c35bcbb5830290c694aa14b6789e07450f069 https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
63e2a5d232218f3f8d852056751e609a5367aaec https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
e11d24008b97d4ca731ecc1a3b95260a6d12e7e0 https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
f0113f3f8266328d804ee808f763a3c11f8997eb https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
GHSA-g4jq-h2w9-997c https://github.com/advisories/GHSA-g4jq-h2w9-997c
GHSA-g4jq-h2w9-997c https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58751.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-09T13:14:11Z/ Found at https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-58751
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.81108
EPSS Score 0.01434
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:59:31.175441+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/58xxx/CVE-2025-58751.json 38.6.0