CVE-2025-58751
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
| Software | From | Fixed in |
|---|---|---|
vitejs / vite
|
7.1.0 | 7.1.5 |
|
vitejs / vite
|
7.0.0 | 7.0.7 |
|
vitejs / vite
|
6.0.0 | 6.3.6 |
|
vitejs / vite
|
- | 5.4.20 |
- https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
- https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
- https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
- https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
- https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
- https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime