CVE-2025-58752

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 7.1.5 Vite versions prior to 7.0.7 Vite versions prior to 6.3.6 Vite versions prior to 5.4.20

Description: Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the server.fs settings. Only applications that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use appType: 'spa' (default) or appType: 'mpa' are affected. This issue also affects the preview server, which allowed HTML files not under the output directory to be served.

Recommendations: Update to Vite version 7.1.5 or later. Update to Vite version 7.0.7 or later. Update to Vite version 6.3.6 or later. Update to Vite version 5.4.20 or later.