PatchSiren cyber security CVE debrief
CVE-2025-58752 Siemens CVE debrief
CVE-2025-58752 describes a file-serving restriction bypass in Vite that can expose HTML files on the machine even when server.fs controls are set. According to the published advisory text, the issue matters most when the dev server is intentionally exposed to the network and when the app uses the default SPA mode or MPA mode. The advisory also says the preview server can serve HTML files outside the output directory. CISA’s republished advisory ties the issue to Siemens SIDIS Prime, so affected owners should verify their exact product/version mapping and apply the vendor remediation promptly.
- Vendor
- Siemens
- Product
- SIDIS Prime
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-12
Who should care
Siemens SIDIS Prime administrators, teams operating exposed Vite dev or preview servers, and security teams responsible for development or staging systems that are reachable from untrusted networks.
Technical summary
The advisory text states that prior to Vite 7.1.5, 7.0.7, 6.3.6, and 5.4.20, HTML files on the machine could be served regardless of server.fs settings. The affected condition requires a network-exposed dev server (--host or server.host) and appType set to spa or mpa; the preview server is also affected because it could serve HTML files outside the output directory. The listed CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, which aligns with limited confidentiality impact and no integrity or availability impact in the source.
Defensive priority
Medium: prioritize quickly if any affected dev or preview server is reachable over the network, because the bypass can expose local HTML content beyond the intended file scope.
Recommended defensive actions
- Apply the vendor remediation listed in the advisory: update to V4.0.800 or later for the Siemens SIDIS Prime product path in the source advisory.
- If you directly manage Vite, confirm you are on a fixed release: 7.1.5, 7.0.7, 6.3.6, or 5.4.20, depending on your release line.
- Avoid exposing Vite dev or preview servers to untrusted networks; remove --host/server.host exposure unless it is strictly required.
- Review server.fs and appType settings in affected environments and verify that local HTML files outside approved roots are not reachable.
- Segment and firewall development and preview services so they are only accessible from trusted administrative networks.
- Validate affected systems against the Siemens/CISA advisory references before and after patching to confirm the product/version mapping and remediation status.
Evidence notes
This debrief is based only on the supplied CISA CSAF source item and the linked official references. The source text explicitly describes a Vite HTML-serving bypass, lists the fixed Vite versions, and notes impact to exposed dev and preview servers. The same source item’s product tree and remediation fields reference Siemens SIDIS Prime vers:intdot/<4.0.800 and a remediation to V4.0.800 or later, which does not match the Vite version language in the description; that inconsistency is flagged and should be validated against the Siemens ProductCERT advisory before operational decisions are made.
Official resources
-
CVE-2025-58752 CVE record
CVE.org
-
CVE-2025-58752 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-03-10 and republished on 2026-03-12 from Siemens ProductCERT advisory SSA-485750.