Description
Any HTML files on the machine were served regardless of the server.fs settings.
Recommendation
Update the vite package to the latest compatible version. Followings are version details:
Affected version(s): **<= 5.4.19 >= 6.0.0, <= 6.3.5 >= 7.0.0, <= 7.0.6 >= 7.1.0, <= 7.1.4** Patched version(s): **5.4.20 6.3.6 7.0.7 7.1.5**
References
Related Issues
- Vite middleware may serve files starting with the same name with the public directory - CVE-2025-58751
- Vite's server.fs.deny bypassed with /. for files under project root - CVE-2025-46565
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395
- Tags:
- npm
- vite
Anything's wrong? Let us know Last updated on September 09, 2025