Plattform
react
Komponente
@vitejs/plugin-react
Behoben in
0.5.7
CVE-2025-67489 is a critical Remote Code Execution (RCE) vulnerability affecting versions of @vitejs/plugin-react up to and including 0.5.5. This vulnerability arises from unsafe dynamic imports within React Server Components (RSC) server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications exposing server function endpoints. A fix is available in version 0.5.6.
An attacker with network access to the vulnerable development server can exploit this vulnerability to achieve arbitrary code execution. This allows them to read and modify files on the server, potentially exfiltrating sensitive data such as source code, environment variables, and credentials. The attacker could also pivot to other internal services, significantly expanding the scope of the attack. This vulnerability specifically targets development servers, but the potential for data compromise and system takeover remains severe.
This vulnerability was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits, but the ease of exploitation makes it a high-priority concern. The CVSS score of 9.8 (CRITICAL) reflects the severity of the vulnerability. It is not currently listed on the CISA KEV catalog.
Development teams using @vitejs/plugin-react to build React Server Component applications are at risk. Specifically, those using versions 0.5.5 or earlier and exposing server function endpoints are particularly vulnerable. Shared hosting environments where developers have access to the development server are also at increased risk.
• react / development server:
# Check for vulnerable plugin versions in package.json
grep '@vitejs/plugin-react' package.json• react / development server:
# Monitor server logs for suspicious dynamic import calls
# (specific patterns will depend on RSC implementation)
grep 'dynamic import' server.logdisclosure
Exploit-Status
EPSS
0.43% (62% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to @vitejs/plugin-react version 0.5.6 or later, which addresses the vulnerability. If upgrading is not immediately feasible, implement strict input validation and sanitization for all data passed to server function APIs. Carefully review and restrict the use of dynamic imports within these functions. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests targeting server function endpoints. After upgrade, confirm by attempting to trigger the vulnerable dynamic import and verifying that it no longer results in code execution.
Actualice el paquete `@vitejs/plugin-react` a la versión 0.5.6 o superior. Esto corrige la vulnerabilidad de ejecución remota de código. Ejecute `npm install @vitejs/plugin-react@latest` o `yarn add @vitejs/plugin-react@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-67489 is a critical Remote Code Execution vulnerability in @vitejs/plugin-react versions up to 0.5.5, allowing attackers to execute arbitrary code on the development server through unsafe dynamic imports in React Server Components.
You are affected if you are using @vitejs/plugin-react version 0.5.5 or earlier and your application exposes server function endpoints.
Upgrade to @vitejs/plugin-react version 0.5.6 or later. If upgrading is not possible, implement strict input validation and sanitization for server function APIs.
There are currently no known active exploits, but the vulnerability's severity and ease of exploitation make it a high-priority concern.
Refer to the official ViteJS security advisories and release notes for details: [https://vitejs.dev/security](https://vitejs.dev/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.