CVE-2025-58752: 
JavaScript vulnerability analysis and mitigation

CVE-2025-58752 affects Vite, a frontend tooling framework for JavaScript. The vulnerability was discovered on September 8, 2025, and affects versions prior to 7.1.5, 7.0.7, 6.3.6, and 5.4.20. The issue allows any HTML files on the machine to be served regardless of the server.fs settings, potentially exposing sensitive information (GitHub Advisory).

The vulnerability stems from improper access control in the server's middleware chain. When handling HTML files, the server bypasses the normal file system restrictions by skipping security checks in the htmlFallbackMiddleware and indexHtmlMiddleware. This affects applications that explicitly expose the Vite dev server to the network using --host or server.host config option and use appType: 'spa' (default) or appType: 'mpa'. The vulnerability has a CVSS v4.0 Base Score of 2.3 (Low) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability allows unauthorized access to HTML files outside the intended directory structure, potentially exposing sensitive information. The preview server is also affected, allowing access to HTML files not under the output directory. This could lead to information disclosure if sensitive HTML files are present on the system (GitHub Advisory).

Users should upgrade to the patched versions: 7.1.5, 7.0.7, 6.3.6, or 5.4.20. Until the upgrade is possible, it is recommended to avoid exposing the dev or preview server to untrusted networks, disable or restrict HTML fallback handlers if possible, and carefully review server.fs.allow / server.fs.deny settings to minimize exposure (GitHub Advisory).