Relative Path Traversal in Vite - CVE-2025-58752
Published: April 8, 2026
Vulnerability identifier: #VU125309
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-58752
CWE-ID: CWE-23
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Vite
Affected software:
Vite
Vite
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to relative path traversal in HTML file handling middleware when processing requests for HTML files. A remote attacker can send a specially crafted request to disclose sensitive information.
Only applications that explicitly expose the Vite dev server to the network and use appType 'spa' or 'mpa' are affected. The issue also affects the preview server.
How to mitigate CVE-2025-58752
Install security update from vendor's website.