Vite v5 Security Update Addresses Critical File-Serving Bypass Vulnerability (CVE-2025-58751)

A critical security vulnerability in the Vite development server, tracked as CVE-2025-58751, allows files to bypass configured security restrictions. The flaw enables files starting with the same name as those in a project's public directory to be served, effectively ignoring the `server.fs` settings designed to limit file access. This creates a direct path for potential unauthorized data exposure from the host filesystem during development.

The vulnerability is specific to the Vite dev server and only impacts applications that explicitly expose it to the network and have a public directory configured. The issue has been addressed in the latest major version update, Vite 5.4.21. A dependency management bot has automatically generated a pull request to upgrade from Vite 4.5.6, highlighting the update's security nature. The advisory from the Vite team provides the technical details of the bypass mechanism.

This vulnerability underscores the persistent security risks in modern web development toolchains, where local development servers can become unintended attack surfaces if exposed. Teams using Vite must verify their configurations and apply the update promptly, especially if their dev server is network-accessible. The automated update path via RenovateBot signals the severity, pushing this from a routine chore to a mandatory security patch.