Vite middleware may serve files starting with the same name with the public directory

Description

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Recommendation

Update the vite package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 5.4.19

  >= 6.0.0, <= 6.3.5

  >= 7.0.0, <= 7.0.6

  >= 7.1.0, <= 7.1.4**

• Patched version(s): **5.4.20

  6.3.6

  7.0.7

  7.1.5**

References

• GHSA-g4jq-h2w9-997c
• CVE-2025-58751
• CWE-200
• CWE-22
• CWE-284
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
• Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749) - CVE-2025-55303
• Astros's duplicate trailing slash feature leads to an open redirection security issue - CVE-2025-54793
• Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565

Tags:

npm

vite