Vitejs Vite-Plugin-React vulnerabilities
2 known vulnerabilities affecting vitejs/vite-plugin-react.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1
Vulnerabilities
Page 1 of 1
CVE-2025-67489P2CRITICALCVSS 9.8fixed in 0.5.62025-12-09
CVE-2025-67489 [CRITICAL] CWE-94 CVE-2025-67489: @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoint
nvd
CVE-2025-68155P3HIGHCVSS 7.5fixed in 0.5.82025-12-16
CVE-2025-68155 [HIGH] CWE-22 CVE-2025-68155: @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, t
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL
nvd