hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动
文件
bfd7d732ae35bb669a94dcdad31fa0b755324bfd
websafe-kb/08-threat-intel/registry/advisories/vite--CVE-2025-58752.json
hao bfd7d732ae feat: sync version-driven intel coverage
2026-03-21 18:18:55 -07:00

226 行
14 KiB
JSON
原始文件 Blame 文件历史

{
"canonical_id": "vite--CVE-2025-58752",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite's `server.fs` settings were not applied to HTML files",
"summary": "### Summary\nAny HTML files on the machine were served regardless of the `server.fs` settings.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))\n- `appType: 'spa'` (default) or `appType: 'mpa'` is used\n\nThis vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.\n\n### Details\nThe [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static files from the server. It returns the [viteServeStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L136) function which runs the needed tests and serves the page. The viteServeStaticMiddleware function [checks if the extension of the requested file is \".html\"](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L144). If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case [htmlFallbackMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/htmlFallback.ts#L14), and then to [indexHtmlMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/indexHtml.ts#L438). These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.\n\n### PoC\nExecute the following shell commands:\n\n```\nnpm create vite@latest\ncd vite-project/\necho \"secret\" > /tmp/secret.html\nnpm install\nnpm run dev\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'`\n\nThe contents of /tmp/secret.html will be returned.\n\nThis will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:\n\n```\necho 'import path from \"node:path\"; import { defineConfig } from \"vite\"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, \"secret_files/*\")]}}})' > [vite.config.js](http://vite.config.js)\nmkdir secret_files\necho \"secret txt\" > secret_files/secret.txt\necho \"secret html\" > secret_files/secret.html\nnpm run dev\n\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'`\n\nYou will receive a 403 HTTP Response,\u00a0 because everything in the secret_files directory is denied.\n\nNow in the same shell run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'`\n\nYou will receive the contents of secret_files/secret.html.",
"published_at": "2025-09-09T20:54:42Z",
"updated_at": "2026-02-04T04:35:16.287471Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-58752",
"https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
"https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
"https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
"https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
"https://github.com/vitejs/vite",
"https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md"
],
"aliases": [
"CVE-2025-58752",
"GHSA-jqfw-vq24-v9c3"
],
"cve_ids": [
"CVE-2025-58752"
],
"ghsa_ids": [
"GHSA-jqfw-vq24-v9c3"
],
"osv_ids": [
"GHSA-jqfw-vq24-v9c3"
],
"affected_versions": [
"introduced=7.1.0, fixed<7.1.5",
"introduced=7.0.0, fixed<7.0.7",
"introduced=6.0.0, fixed<6.3.6",
"introduced=0, fixed<5.4.20"
],
"fixed_versions": [
"7.1.5",
"7.0.7",
"6.3.6",
"5.4.20"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-58752.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"status": "generated",
"triage_reasons": [],
"entity_refs": [
{
"entity_id": "vite",
"entity_type": "system",
"relation": "root-system",
"root_system_id": "vite",
"official": true
},
{
"entity_id": "vite--extension--vite",
"entity_type": "extension",
"relation": "affected-component",
"root_system_id": "vite",
"official": false
}
],
"affected_components": [
{
"name": "vite",
"entity_id": "vite--extension--vite",
"scope": "extension",
"package_name": "vite",
"official": false
}
],
"affected_version_ranges": [
"introduced=7.1.0, fixed<7.1.5",
"introduced=7.0.0, fixed<7.0.7",
"introduced=6.0.0, fixed<6.3.6",
"introduced=0, fixed<5.4.20"
],
"fixed_version_ranges": [
"7.1.5",
"7.0.7",
"6.3.6",
"5.4.20"
],
"introduced_version": "introduced=0, fixed<5.4.20",
"patched_version": "7.1.5",
"version_evidence_sources": [
"https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
"https://nvd.nist.gov/vuln/detail/CVE-2025-58752",
"https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
"https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
"https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
"https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
"https://github.com/vitejs/vite",
"https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md"
],
"affected_version_refs": [
"vite--extension--vite--introduced-7-1-0-fixed-7-1-5",
"vite--extension--vite--introduced-7-0-0-fixed-7-0-7",
"vite--extension--vite--introduced-6-0-0-fixed-6-3-6",
"vite--extension--vite--introduced-0-fixed-5-4-20"
],
"fixed_version_refs": [
"vite--extension--vite--7-1-5",
"vite--extension--vite--7-0-7",
"vite--extension--vite--6-3-6",
"vite--extension--vite--5-4-20"
],
"patched_version_refs": [
"vite--extension--vite--7-1-5"
],
"version_sync_confidence": "high",
"advisory_scope": "extension",
"version_confidence": "high",
"version_gap_reason": "",
"version_resolution_needed": false,
"workflow": {
"workflow_id": "vite--CVE-2025-58752--workflow",
"vuln_family": "proxy-boundary",
"entry_surface": "proxy-header-or-trust-boundary",
"preconditions": [
"\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
"\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: introduced=7.1.0, fixed<7.1.5, introduced=7.0.0, fixed<7.0.7, introduced=6.0.0, fixed<6.3.6",
"\u82e5\u5bf9\u8c61\u5c5e\u4e8e `extension`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
],
"required_role": "reverse-proxy-or-edge-client",
"affected_version_assertion": [
"introduced=7.1.0, fixed<7.1.5",
"introduced=7.0.0, fixed<7.0.7",
"introduced=6.0.0, fixed<6.3.6",
"introduced=0, fixed<5.4.20"
],
"trigger_vector": "\u5bf9 `proxy-boundary` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
"request_or_ui_path": [
"/middleware",
"/x-forwarded-* trust path"
],
"input_shape": "\u63d0\u4ea4\u53d7\u63a7\u4ee3\u7406\u5934\u6216\u6765\u6e90\u5934\uff0c\u9a8c\u8bc1\u4fe1\u4efb\u8fb9\u754c\u548c\u56de\u6e90\u9274\u6743\u3002",
"expected_unsafe_behavior": "\u4ec5\u51ed\u4ee3\u7406\u5934\u5373\u53ef\u8d8a\u8fc7\u9274\u6743\u6216\u6765\u6e90\u63a7\u5236\u3002",
"server_evidence_points": [
"\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
"\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56",
"\u63d2\u4ef6/\u6269\u5c55\u7ba1\u7406\u65e5\u5fd7\u3001\u5b89\u88c5\u65e5\u5fd7\u4e0e\u7248\u672c\u6e05\u5355"
],
"browser_evidence_points": [
"\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
"console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
],
"db_or_fs_evidence_points": [
"\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
"\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9",
"\u63d2\u4ef6\u76ee\u5f55\u3001\u4e3b\u9898\u76ee\u5f55\u6216\u6269\u5c55\u914d\u7f6e\u8868\u4e2d\u7684\u6d4b\u8bd5\u6837\u672c"
],
"detection_signals": [
"WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
"\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6",
"\u4e0a\u6e38\u4ee3\u7406\u4e0e\u5e94\u7528\u5c42\u5bf9 Content-Length / Transfer-Encoding / forwarded headers \u7684\u89e3\u91ca\u5dee\u5f02"
],
"mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
"patch_validation_steps": [
"\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `introduced=7.1.0, fixed<7.1.5, introduced=7.0.0, fixed<7.0.7, introduced=6.0.0, fixed<6.3.6` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `7.1.5`\u3002",
"\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
"\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
"\u8865\u5145 `proxy-boundary` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
],
"lab_safety_notes": [
"\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
"\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
"\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
],
"review_state": "ready"
},
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T04:05:59+00:00",
"last_run_id": "vite-vite--CVE-2025-58752-20260318040552",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552",
"historical_status": "verified-real",
"latest_status": "verified-real",
"browser_evidence": {
"required": false,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/proof-page.json"
]
},
"repro_profile_id": "vite-proxy-boundary",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Vite"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 1,
"entity_ref_count": 2,
"advisory_scope": "extension",
"version_confidence": "high",
"workflow_id": "vite--CVE-2025-58752--workflow"
}
}
在新工单中引用 查看 Git Blame 复制永久链接