Vite v6 Major Update Flags Critical Security Flaw CVE-2025-58752

A major dependency update for the Vite build tool has surfaced a critical security vulnerability, CVE-2025-58752, which could expose sensitive local files. The flaw, detailed in a GitHub security advisory, allows any HTML file on the host machine to be served by the Vite development server, bypassing intended file system restrictions. This exposure occurs regardless of the configured `server.fs` security settings, posing a direct data leak risk for developers.

The vulnerability specifically impacts applications that explicitly expose the Vite dev server to the network and have a public-facing HTML file. The issue was identified as part of a routine `chore(deps-major)` pull request to update the `vite` dependency from version 4.5.14 to the latest major release, v6.0.0. The automated update, managed by RenovateBot, triggered a linked GitHub Vulnerability Alert, highlighting the security advisory from the ViteJS team.

This discovery places immediate pressure on development teams to assess their deployment configurations. While the full impact scope is limited to specific conditions, the flaw represents a significant configuration risk for projects using Vite in development or preview modes. The presence of this CVE in a major version upgrade underscores the critical need for security reviews during dependency updates, even for routine tooling maintenance.