Vite middleware may serve files starting with the same name with the public directory

Description

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 5.4.19

  >= 6.0.0, <= 6.3.5

  >= 7.0.0, <= 7.0.6

  >= 7.1.0, <= 7.1.4**

• Patched version(s): **5.4.20

  6.3.6

  7.0.7

  7.1.5**

References

• GHSA-g4jq-h2w9-997c
• CVE-2025-58751
• CWE-200
• CWE-22
• CWE-284
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
• Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
• Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
• snowflake-sdk may incorrectly validate temporary credential cache file permissions - CVE-2025-24791

Tags:

npm

vite