CVE-2025-68155
published 2025-12-16CVE-2025-68155: @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in…
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.55%
41.9th percentile
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | plugin-rsc | >= 0 < 0.5.8 | 0.5.8 |
| vitejs | vite-plugin-react | < 0.5.8 | 0.5.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
osv·2025-12-16
CVE-2025-68155 [HIGH] @vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
## Summary
The `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows **unauthenticated arbitrary file read** during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter.
**Severity:** High
**Attack Vector:** Network
**Privileges Required:** None
**Scope:** Development mode only (`vite dev`)
---
## Impact
### Who Is Affected?
- **All developers** using `@vitejs/plugin-rsc` during development
- Projects running `vite dev` with the RSC plugin enabled
### Attack Scenarios
1. **Network-Exposed Dev Servers:**
When developers run `vite --host 0.0.0.0` (common for mob
GHSA
@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
ghsa·2025-12-16
CVE-2025-68155 [HIGH] CWE-22 @vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
## Summary
The `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows **unauthenticated arbitrary file read** during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter.
**Severity:** High
**Attack Vector:** Network
**Privileges Required:** None
**Scope:** Development mode only (`vite dev`)
---
## Impact
### Who Is Affected?
- **All developers** using `@vitejs/plugin-rsc` during development
- Projects running `vite dev` with the RSC plugin enabled
### Attack Scenarios
1. **Network-Exposed Dev Servers:**
When developers run `vite --host 0.0.0.0` (common for mob
No detection rules found.
No public exploits indexed.
Wiz
GHSA-c6m7-q6pr-c64r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-c6m7-q6pr-c64r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-c6m7-q6pr-c64r :
Vite RSC Plugin vulnerability analysis and mitigation
## Impact
@vitejs/plugin-rsc
react-server-dom-webpack
## Patches
@vitejs/[email protected]
Source : NVD
## 5.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score N/A
Affected Technologies
Vite RSC Plugin
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@vitejs/plugin-rsc
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Dec 12, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Vite RSC Plugin vulnerabilities:
Wiz
CVE-2025-67489 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67489 [MEDIUM] CVE-2025-67489 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67489 :
Vite RSC Plugin vulnerability analysis and mitigation
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.
Sou
Wiz
GHSA-cpqf-f22c-r95x Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-cpqf-f22c-r95x Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cpqf-f22c-r95x :
Vite RSC Plugin vulnerability analysis and mitigation
## Impact
@vitejs/plugin-rsc
react-server-dom-webpack
## Patches
@vitejs/[email protected]
Source : NVD
## 7.5
Score
Published December 12, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Vite RSC Plugin
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@vitejs/plugin-rsc
Sources
NVD
npm Severity HIGH Has Fix Added at: Dec 12, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Vite RSC Plugin vulnerabilities:
CV
Wiz
CVE-2025-68155 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-68155 [MEDIUM] CVE-2025-68155 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68155 :
Vite RSC Plugin vulnerability analysis and mitigation
/__vite_rsc_findSourceMapURL
@vitejs/plugin-rsc
file://
filename
Source : NVD
## 7.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Vite RSC Plugin
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 67.7
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
@vitejs/plugin-rsc
Sources
NVD
npm Severity HIGH Has Fix Added at: Dec 17, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Vite RSC Plugin vulnerabilities:
CVE ID
Severity
Score
Technologi
2025-12-16
Published