#VU125309 Relative Path Traversal in Vite - CVE-2025-58752
Published: April 8, 2026
Vulnerability identifier: #VU125309
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-58752
CWE-ID: CWE-23
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Vite
Vite
Software vendor:
Vite
Vite
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to relative path traversal in HTML file handling middleware when processing requests for HTML files. A remote attacker can send a specially crafted request to disclose sensitive information.
Only applications that explicitly expose the Vite dev server to the network and use appType 'spa' or 'mpa' are affected. The issue also affects the preview server.
Remediation
Install security update from vendor's website.