Bug 2393970 (CVE-2025-58751)

Summary: CVE-2025-58751 vitejs/vite: lukeed/sirv: Vite middleware may serve files starting with the same name with the public directory
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aazores, alcohan, anjoseph, asoldano, bbaranow, bmaxwell, brasmith, brian.stansberry, caswilli, cmah, cochase, darran.lofthouse, dkreling, dosoudil, dranck, dward, eaguilar, ebaron, eric.wittmann, fjuma, gparvin, haoli, hkataria, istudens, ivassile, iweiss, jajackso, janstey, jcammara, jkoehler, jmitchel, jneedle, jolong, jprabhak, jwendell, jwong, kaycoth, kegrant, koliveir, kshier, lphiri, mabashia, manissin, mosmerov, msochure, msvehla, mwringe, nipatil, njean, nwallace, oblaut, owatkins, pahickey, pantinor, pbraun, pesilva, pjindal, pmackay, rcernich, rhaigner, rkubis, rstancel, sdawley, shvarugh, simaishi, smaestri, smcdonal, stcannon, teagle, tfister, thavo, tom.jenkinson, ttakamiy, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A path traversal vulnerability has been identified in Vite’s static file serving logic, where files outside of the intended public directory may be served if their names share the same prefix or if symlinks are used to traverse upwards in the filesystem. An attacker could exploit this by placing a symlink inside the public directory that points to sensitive files elsewhere on the host and then requesting crafted paths to read those files.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2395135, 2395136, 2395137, 2395138, 2395139, 2395140, 2395141, 2395142, 2395143    
Bug Blocks:    

Description OSIDB Bzimport 2025-09-08 23:01:38 UTC
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or `server.host` config option), use the public directory feature (enabled by default), and have a symlink in the public directory are affected. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.