Description

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.

INFO

Published Date :

2025-12-09T20:54:23.716Z

Last Modified :

2025-12-10T16:00:25.438Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67489 vulnerability.

Vendors Products
Vitejs
  • Plugin-rsc
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67489.

URL Resource
https://github.com/vitejs/vite-plugin-react/commit/fe634b58210d0a4a146a7faae56cd71af3bb9af4 cve-icon cve-icon
https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-j76j-5p5g-9wfr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact