Bug 2393970 (CVE-2025-58751)
Summary: | CVE-2025-58751 vitejs/vite: lukeed/sirv: Vite middleware may serve files starting with the same name with the public directory | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
Status: | NEW --- | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aazores, alcohan, anjoseph, asoldano, bbaranow, bmaxwell, brasmith, brian.stansberry, caswilli, cmah, cochase, darran.lofthouse, dkreling, dosoudil, dranck, dward, eaguilar, ebaron, eric.wittmann, fjuma, gparvin, haoli, hkataria, istudens, ivassile, iweiss, jajackso, janstey, jcammara, jkoehler, jmitchel, jneedle, jolong, jprabhak, jwendell, jwong, kaycoth, kegrant, koliveir, kshier, lphiri, mabashia, manissin, mosmerov, msochure, msvehla, mwringe, nipatil, njean, nwallace, oblaut, owatkins, pahickey, pantinor, pbraun, pesilva, pjindal, pmackay, rcernich, rhaigner, rkubis, rstancel, sdawley, shvarugh, simaishi, smaestri, smcdonal, stcannon, teagle, tfister, thavo, tom.jenkinson, ttakamiy, wtam, yguenane |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | --- | |
Doc Text: |
A path traversal vulnerability has been identified in Vite’s static file serving logic, where files outside of the intended public directory may be served if their names share the same prefix or if symlinks are used to traverse upwards in the filesystem. An attacker could exploit this by placing a symlink inside the public directory that points to sensitive files elsewhere on the host and then requesting crafted paths to read those files.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2395135, 2395136, 2395137, 2395138, 2395139, 2395140, 2395141, 2395142, 2395143 | ||
Bug Blocks: |
Description
OSIDB Bzimport
2025-09-08 23:01:38 UTC
|