PatchSiren cyber security CVE debrief
CVE-2025-62522 Siemens CVE debrief
CVE-2025-62522 is a confidentiality issue in the Vite development server on Windows. If an application explicitly exposed the dev server to the network, a request whose URL ended with a trailing backslash could cause files blocked by server.fs.deny to be sent. The advisory rates the issue CVSS 6.5 MEDIUM and limits the practical impact to exposed Windows dev servers; integrity and availability are not described as affected. Fixed versions listed in the advisory are 5.4.21, 6.4.1, 7.0.8, and 7.1.11.
- Vendor
- Siemens
- Product
- SIDIS Prime
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-12
Who should care
Teams running Vite dev servers on Windows, especially when the dev server is reachable from other hosts on the network. Developers, DevOps, and security teams should pay attention if development environments, labs, or CI systems expose Vite beyond localhost.
Technical summary
The reported behavior allows files denied by server.fs.deny to be returned when the request URL ends with a trailing backslash on Windows. The issue affects Vite versions 2.9.18 to before 3.0.0, 3.2.9 to before 4.0.0, 4.5.3 to before 5.0.0, 5.2.6 to before 5.4.21, 6.0.0 to before 6.4.1, 7.0.0 to before 7.0.8, and 7.1.0 to before 7.1.11. The CVSS vector provided is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, which matches a network-reachable disclosure issue requiring user interaction.
Defensive priority
Medium-to-high for any network-exposed Vite dev server on Windows; lower priority for localhost-only development setups. The affected scope is narrow, but the exposure can leak sensitive local files if the dev server is reachable from untrusted networks.
Recommended defensive actions
- Update Vite to a fixed release: 5.4.21, 6.4.1, 7.0.8, or 7.1.11, depending on the branch in use.
- Do not expose the Vite dev server to untrusted networks; keep it bound to localhost whenever possible.
- Review Windows-based development, demo, and CI environments for accidental port forwarding, reverse proxies, or firewall rules that make the dev server reachable.
- Verify that server.fs.deny settings are still appropriate for the environment, and treat the dev server as a development-only service rather than a production-facing component.
- Confirm that any shared lab or team environment using Vite on Windows has been patched before exposing it to other users or systems.
Evidence notes
This debrief is based on the supplied CISA CSAF source item ICSA-26-071-03 and its referenced Siemens ProductCERT advisory SSA-485750, published 2026-03-10 and republished/revised by CISA on 2026-03-12. The advisory text consistently describes a Vite issue involving Windows dev servers and server.fs.deny. The supplied source-item metadata also maps the CVE to Siemens SIDIS Prime vers:intdot/<4.0.800 and includes a remediation field that says 'V4.0.800 or later,' which conflicts with the Vite-specific advisory text; this response follows the advisory text and flags the mismatch rather than guessing at product correlation.
Official resources
-
CVE-2025-62522 CVE record
CVE.org
-
CVE-2025-62522 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by the advisory on 2026-03-10, with a CISA republication/revision on 2026-03-12. The issue is limited to Vite dev servers explicitly exposed to the network on Windows.