CVE-2025-58751: 
JavaScript vulnerability analysis and mitigation

CVE-2025-58751 affects Vite, a frontend tooling framework for JavaScript. The vulnerability was discovered and disclosed on September 8, 2025, where files starting with the same name as the public directory were served bypassing the server.fs settings. This vulnerability affects versions prior to 7.1.5, 7.0.7, 6.3.6, and 5.4.20 (GitHub Advisory).

The vulnerability occurs in the servePublicMiddleware function which is responsible for serving public files from the server. When publicFiles is undefined due to a symbolic link in the public directory, every requested page gets passed to the public serving function. The sirv library's path handling allows attackers to bypass directory restrictions through path traversal. The vulnerability received a CVSS v4.0 score of 2.3 (Low) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability only affects applications that meet specific conditions: 1) explicitly expose the Vite dev server to the network using --host or server.host config option, 2) use the public directory feature (enabled by default), and 3) have a symlink in the public directory. When exploited, it allows attackers to access files outside the intended directory structure, potentially exposing sensitive information (GitHub Advisory).

The vulnerability has been fixed in Vite versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20. Users should upgrade to these patched versions to mitigate the vulnerability. The fix involves proper handling of directory paths and symbolic links in the sirv library (GitHub Advisory).