CVE-2025-58751 Scanner

The Vite Dev Server, a critical part of the modern web development workflow, is predominantly used by developers looking for a rapid and efficient way to build and test frontend applications. Its main focus is to provide fast development server capabilities, primarily for JavaScript-based projects. Companies and developers use Vite to handle static assets during development and serve applications over a network. The tooling framework offered by Vite facilitates the building, reliable versioning, and dynamic update of applications in a development environment, contributing to streamlined workflows. The framework is appreciated for its speed and configuration-free nature and supports a variety of modern JavaScript features. It is particularly beneficial for projects requiring constant builds and deployments to ensure features are updated and defect-free.

This vulnerability revolves around a path traversal flaw in the Vite Dev Server, specifically affecting applications exposing the Vite dev server to the network. It allows attackers to access unauthorized files by bypassing certain filesystem restrictions set in place. The issue has been identified in versions prior to 7.1.5, 7.0.7, 6.3.6, and 5.4.20. It exploits symlinks within the public directory, which can be affected under specific server configuration scenarios. In configurations using `--host` or `server.host`, the server may inadvertently expose sensitive files to users with network access. The discovery of this vulnerability underscores the need for configurations that prevent extraneous network exposure of development files.

Technically, the vulnerability is exploited by requesting files that start with the same name as the public directory. The path traversal occurs because these requests bypass the `server.fs` settings that aim to restrict filesystem access. An attacker can make a request that navigates back directories (`../`) and accesses files like `package.json`. The server, when configured improperly, does not adequately handle these cases. The issue arises particularly when symlinks in the public directory exist, causing a misconfigured server to serve sensitive files.

If exploited, this vulnerability can have serious repercussions. Unauthorized users could access confidential files, potentially exposing sensitive application data or system configurations. Malicious actors can utilize this information to craft more targeted attacks against the application or gain deeper insights into the structure of the application codebase. The exposure of critical files can lead to data leaks, affecting not only the application integrity but also possibly compromising user and operational data.

REFERENCES

• https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
• https://nvd.nist.gov/vuln/detail/CVE-2025-58751