Plattform
nodejs
Komponente
@vitejs/plugin-rsc
Behoben in
0.5.9
0.5.8
CVE-2025-68155 describes an arbitrary file access vulnerability within the @vitejs/plugin-rsc plugin for Vite, specifically during development mode (vite dev). This allows unauthenticated attackers to read files accessible to the Node.js process by manipulating the filename query parameter. The vulnerability impacts developers utilizing the plugin and projects running vite dev with the RSC plugin enabled, and a fix is available in version 0.5.8.
The primary impact of CVE-2025-68155 is the potential for unauthorized disclosure of sensitive information. An attacker can exploit this vulnerability by crafting a malicious HTTP request with a file:// URL in the filename query parameter to the /_vitersc_findSourceMapURL endpoint. This allows them to read arbitrary files on the server, including source code, configuration files, and potentially even credentials. The scope of this vulnerability is limited to development mode (vite dev), reducing the risk in production environments. However, developers often work with sensitive data during development, making this a significant concern.
This vulnerability was publicly disclosed on December 16, 2025. There is currently no indication of active exploitation in the wild. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation. The vulnerability's impact is primarily limited to development environments, which may reduce its overall risk profile. No KEV listing is currently available.
Developers actively using Vite's RSC plugin in development environments are at the highest risk. This includes teams building single-page applications (SPAs) and server-side rendered (SSR) applications with Vite. Projects utilizing shared development environments or containerized development workflows are also at increased risk due to the potential for lateral movement if the vulnerability is exploited.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -eq 'node' -and $_.CommandLine -match '@vitejs/plugin-rsc'}• nodejs / supply-chain:
Get-ChildItem -Path Env:NODE_PATH -Recurse -Filter '@vitejs/plugin-rsc*' | Select-Object FullName• generic web:
Use curl or wget to attempt accessing /_vitersc_findSourceMapURL?filename=file:///etc/passwd and observe the response. A successful response indicates the vulnerability is present.
disclosure
Exploit-Status
EPSS
0.54% (67% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68155 is to upgrade to @vitejs/plugin-rsc version 0.5.8 or later. This version includes a fix that prevents the arbitrary file read vulnerability. If upgrading is not immediately feasible, consider disabling the RSC plugin during development or restricting access to the /viterscfindSourceMapURL endpoint using a web application firewall (WAF) or proxy. Ensure that the Node.js process has minimal permissions to reduce the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to access the /viterscfindSourceMapURL endpoint with a file:// URL and verifying that access is denied.
Actualice el paquete `@vitejs/plugin-rsc` a la versión 0.5.8 o superior. Esto solucionará la vulnerabilidad de lectura arbitraria de archivos. Ejecute `npm install @vitejs/plugin-rsc@latest` o `yarn add @vitejs/plugin-rsc@latest` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68155 is a high-severity vulnerability in the @vitejs/plugin-rsc Vite plugin allowing unauthenticated attackers to read files during development. It impacts Vite projects using the RSC plugin.
You are affected if you are a developer using @vitejs/plugin-rsc in your Vite project during development (vite dev).
Upgrade the @vitejs/plugin-rsc package to version 0.5.8 or later. Restrict access to the /_vitersc_findSourceMapURL endpoint as a temporary workaround.
There is currently no evidence of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the official Vite documentation and release notes for updates regarding CVE-2025-68155: [https://vitejs.dev/](https://vitejs.dev/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.