Platform
react
Component
@vitejs/plugin-react
Fixed in
0.5.7
CVE-2025-67489 is a critical Remote Code Execution (RCE) vulnerability affecting versions of @vitejs/plugin-react up to and including 0.5.5. This vulnerability arises from unsafe dynamic imports within React Server Components (RSC) server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications exposing server function endpoints. A fix is available in version 0.5.6.
An attacker with network access to the vulnerable development server can exploit this vulnerability to achieve arbitrary code execution. This allows them to read and modify files on the server, potentially exfiltrating sensitive data such as source code, environment variables, and credentials. The attacker could also pivot to other internal services, significantly expanding the scope of the attack. This vulnerability specifically targets development servers, but the potential for data compromise and system takeover remains severe.
This vulnerability was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits, but the ease of exploitation makes it a high-priority concern. The CVSS score of 9.8 (CRITICAL) reflects the severity of the vulnerability. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.43% (62% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to @vitejs/plugin-react version 0.5.6 or later, which addresses the vulnerability. If upgrading is not immediately feasible, implement strict input validation and sanitization for all data passed to server function APIs. Carefully review and restrict the use of dynamic imports within these functions. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests targeting server function endpoints. After upgrade, confirm by attempting to trigger the vulnerable dynamic import and verifying that it no longer results in code execution.
Update the `@vitejs/plugin-react` package to version 0.5.6 or higher. This fixes the remote code execution vulnerability. Run `npm install @vitejs/plugin-react@latest` or `yarn add @vitejs/plugin-react@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67489 is a critical Remote Code Execution vulnerability in @vitejs/plugin-react versions up to 0.5.5, allowing attackers to execute arbitrary code on the development server through unsafe dynamic imports in React Server Components.
You are affected if you are using @vitejs/plugin-react version 0.5.5 or earlier and your application exposes server function endpoints.
Upgrade to @vitejs/plugin-react version 0.5.6 or later. If upgrading is not possible, implement strict input validation and sanitization for server function APIs.
There are currently no known active exploits, but the vulnerability's severity and ease of exploitation make it a high-priority concern.
Refer to the official ViteJS security advisories and release notes for details: [https://vitejs.dev/security](https://vitejs.dev/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.