CVE-2025-67489
published 2025-12-09CVE-2025-67489: @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.69%
48.3th percentile
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | plugin-rsc | >= 0 < 0.5.6 | 0.5.6 |
| vitejs | vite-plugin-react | < 0.5.6 | 0.5.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for exploitation of server function API endpoints (loadServerAction, decodeReply, decodeAction) in Vite RSC development servers, which may indicate unsafe dynamic import abuse leading to RCE. ↗
- →Alert on Vite development servers started with the `--host` flag, as this exposes the server on all network interfaces and significantly increases the attack surface for CVE-2025-67489. ↗
- →Identify installations of @vitejs/plugin-rsc at versions 0.5.5 and below as vulnerable; version 0.5.6 contains the fix. ↗
- ·This vulnerability only affects development servers, not production deployments. Exposure is limited to environments where the Vite dev server is running. ↗
- ·Exploitation requires network access to the development server. Attackers must be able to reach the server's network interface to trigger the unsafe dynamic imports. ↗
- ·No public exploit is currently available for this CVE, though the EPSS exploitation probability percentile is elevated at 62.5. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
ghsa·2025-12-08
CVE-2025-67489 [CRITICAL] CWE-94 @vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
## Summary
Arbitrary Remote Code Execution on development server via unsafe dynamic imports in `@vitejs/plugin-rsc` server function APIs (`loadServerAction`, `decodeReply`, `decodeAction`) when integrated into RSC applications that expose server function endpoints.
## Impact
Attackers with network access to the development server can execute arbitrary JavaScript code with Node.js privileges, allowing them to read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using `vite --host` to expose the server on all network inte
OSV
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
osv·2025-12-08
CVE-2025-67489 [CRITICAL] @vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
## Summary
Arbitrary Remote Code Execution on development server via unsafe dynamic imports in `@vitejs/plugin-rsc` server function APIs (`loadServerAction`, `decodeReply`, `decodeAction`) when integrated into RSC applications that expose server function endpoints.
## Impact
Attackers with network access to the development server can execute arbitrary JavaScript code with Node.js privileges, allowing them to read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using `vite --host` to expose the server on all network inte
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-67489 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67489 [MEDIUM] CVE-2025-67489 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67489 :
Vite RSC Plugin vulnerability analysis and mitigation
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.
Sou
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-12-09
Published