Vite middleware may serve files starting with the same name with the public directory

Description

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 5.4.19

  >= 6.0.0, <= 6.3.5

  >= 7.0.0, <= 7.0.6

  >= 7.1.0, <= 7.1.4**

• Patched version(s): **5.4.20

  6.3.6

  7.0.7

  7.1.5**

References

• GHSA-g4jq-h2w9-997c
• CVE-2025-58751
• CWE-200
• CWE-22
• CWE-284
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
• Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
• Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
• Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525

Tags:

npm

vite