SB2026040863 - Multiple vulnerabilities in Vite

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2025-58751)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in servePublicMiddleware / viteServePublicMiddleware when handling crafted path requests to public files. A remote attacker can send a specially crafted request using traversal sequences to disclose sensitive information.

Only applications that expose the Vite dev server to the network, use the public directory feature, and have a symbolic link anywhere inside the public directory are affected. User interaction is required.

2) Relative Path Traversal (CVE-ID: CVE-2025-58752)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to relative path traversal in HTML file handling middleware when processing requests for HTML files. A remote attacker can send a specially crafted request to disclose sensitive information.

Only applications that explicitly expose the Vite dev server to the network and use appType 'spa' or 'mpa' are affected. The issue also affects the preview server.

Remediation

Install update from vendor's website.

References

• https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c
• https://github.com/advisories/GHSA-g4jq-h2w9-997c
• https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3
• https://github.com/advisories/GHSA-jqfw-vq24-v9c3