Vite middleware may serve files starting with the same name with the public directory
- Severity:
- Low
Description
Files starting with the same name with the public directory were served bypassing the server.fs settings.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **<= 5.4.19 >= 6.0.0, <= 6.3.5 >= 7.0.0, <= 7.0.6 >= 7.1.0, <= 7.1.4** Patched version(s): **5.4.20 6.3.6 7.0.7 7.1.5**
References
Related Issues
- Astro allows unauthorized third-party images in _image endpoint (GHSA-xf8x-j4p2-f749) - CVE-2025-55303
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on September 09, 2025