CVE-2025-58752: 
JavaScript vulnerability analysis and mitigation

CVE-2025-58752 affects Vite, a frontend tooling framework for JavaScript. The vulnerability was discovered and disclosed on September 8, 2025, affecting versions prior to 7.1.5, 7.0.7, 6.3.6, and 5.4.20. The issue allows HTML files on the machine to be served regardless of the server.fs settings, potentially exposing sensitive information (GitHub Advisory).

The vulnerability stems from the serveStaticMiddleware function's handling of HTML files. When a file with '.html' extension is requested, the server bypasses standard security checks and forwards the request to htmlFallbackMiddleware and indexHtmlMiddleware, which don't perform access control checks. This affects applications that expose the Vite dev server to the network using --host or server.host config option and use appType: 'spa' (default) or appType: 'mpa'. The CVSS v4.0 score is 2.3 (Low), with a vector string of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability can lead to unauthorized access to HTML files outside the intended directory structure, potentially exposing sensitive information. This affects both the development server and the preview server, where HTML files not under the output directory could be served (GitHub Advisory).

The vulnerability has been patched in versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20. Users are advised to upgrade to these or later versions to address the security issue (GitHub Advisory).