Bug 2393983 (CVE-2025-58752)
| Summary: | CVE-2025-58752 vite: Vite's `server.fs` settings were not applied to HTML files | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, brian.stansberry, darran.lofthouse, dkreling, dosoudil, fjuma, haoli, hkataria, istudens, ivassile, iweiss, jajackso, jcammara, jmitchel, jneedle, jwong, kegrant, koliveir, kshier, mabashia, mosmerov, msochure, msvehla, mwringe, nwallace, pbraun, pesilva, pjindal, pmackay, rstancel, sdawley, shvarugh, simaishi, smaestri, smcdonal, stcannon, teagle, tfister, thavo, tom.jenkinson, ttakamiy, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A path traversal / static-file serving bypass vulnerability has been identified in Vite’s static file server, where HTML files located outside the configured root or deny/allow lists may be served even when server.fs settings (such as deny) are used. An attacker can exploit this by requesting HTML files (via paths using .. or similar) that should be blocked, but are returned because the middleware chain falls back to HTML-fallback and index HTML handlers which do not enforce the file system restrictions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-09-09 00:01:51 UTC
|