CVE-2025-58751: Vite middleware may serve files starting with the same name with the public directory
Files starting with the same name with the public directory were served bypassing the server.fs settings.
References
- github.com/advisories/GHSA-g4jq-h2w9-997c
- github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb
- github.com/vitejs/vite
- github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d
- github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069
- github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec
- github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0
- github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
- nvd.nist.gov/vuln/detail/CVE-2025-58751
Code Behaviors & Features
Detect and mitigate CVE-2025-58751 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →