cbcvebase.
CVE-2025-67489
published 2025-12-09

CVE-2025-67489: @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.69%
48.3th percentile
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.

Affected

2 ranges
VendorProductVersion rangeFixed in
vitejsplugin-rsc>= 0 < 0.5.60.5.6
vitejsvite-plugin-react< 0.5.60.5.6

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for exploitation of server function API endpoints (loadServerAction, decodeReply, decodeAction) in Vite RSC development servers, which may indicate unsafe dynamic import abuse leading to RCE.
  • Alert on Vite development servers started with the `--host` flag, as this exposes the server on all network interfaces and significantly increases the attack surface for CVE-2025-67489.
  • Identify installations of @vitejs/plugin-rsc at versions 0.5.5 and below as vulnerable; version 0.5.6 contains the fix.
  • ·This vulnerability only affects development servers, not production deployments. Exposure is limited to environments where the Vite dev server is running.
  • ·Exploitation requires network access to the development server. Attackers must be able to reach the server's network interface to trigger the unsafe dynamic imports.
  • ·No public exploit is currently available for this CVE, though the EPSS exploitation probability percentile is elevated at 62.5.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.