Vite middleware may serve files starting with the same name with the public directory
- Severity:
- Low
Description
Files starting with the same name with the public directory were served bypassing the server.fs settings.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **<= 5.4.19 >= 6.0.0, <= 6.3.5 >= 7.0.0, <= 7.0.6 >= 7.1.0, <= 7.1.4** Patched version(s): **5.4.20 6.3.6 7.0.7 7.1.5**
References
Related Issues
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525
You might also like:
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on September 09, 2025


