Description
Any HTML files on the machine were served regardless of the server.fs settings.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **<= 5.4.19 >= 6.0.0, <= 6.3.5 >= 7.0.0, <= 7.0.6 >= 7.1.0, <= 7.1.4** Patched version(s): **5.4.20 6.3.6 7.0.7 7.1.5**
References
Related Issues
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
- Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on September 09, 2025