CVE-2025-58751: 
JavaScript vulnerability analysis and mitigation

CVE-2025-58751 affects Vite, a frontend tooling framework for JavaScript. The vulnerability was discovered on September 8, 2025, and affects versions prior to 7.1.5, 7.0.7, 6.3.6, and 5.4.20. The issue allows files starting with the same name as the public directory to be served bypassing the server.fs settings (GitHub Advisory, NVD).

The vulnerability stems from a path traversal issue in Vite's static file serving logic. When the public directory feature is enabled and contains a symlink, the servePublicMiddleware function may incorrectly handle path normalization, allowing access to files outside the intended directory. The issue occurs because sirv (the underlying library) trims trailing slashes from the public directory path, which can cause the startsWith function to return true for paths that should be restricted. The vulnerability has a CVSS v4.0 Base Score of 2.3 (Low) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability can lead to unauthorized access to files outside the intended public directory. This could potentially expose sensitive information if an attacker crafts specific paths with '../' sequences to traverse the directory structure. However, the impact is limited as it requires specific conditions to be exploitable: the Vite dev server must be exposed to the network, the public directory feature must be enabled, and a symlink must exist in the public directory (Red Hat).

The vulnerability has been fixed in Vite versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20. Users should upgrade to these or later versions. For those unable to upgrade immediately, recommended mitigations include: 1) Avoid exposing the Vite dev server (--host / server.host) to untrusted networks, and 2) Do not allow symlinks inside the public directory that reference files outside of it (GitHub Advisory).