Platform
nodejs
Component
@vitejs/plugin-rsc
Fixed in
0.5.9
0.5.8
CVE-2025-68155 describes an arbitrary file access vulnerability within the @vitejs/plugin-rsc plugin for Vite, specifically during development mode (vite dev). This allows unauthenticated attackers to read files accessible to the Node.js process by manipulating the filename query parameter. The vulnerability impacts developers utilizing the plugin and projects running vite dev with the RSC plugin enabled, and a fix is available in version 0.5.8.
The primary impact of CVE-2025-68155 is the potential for unauthorized file disclosure. An attacker can leverage this vulnerability to read sensitive files within the Node.js process's accessible file system. This could include configuration files containing credentials, source code with API keys, or other confidential data. While limited to development mode, this vulnerability presents a significant risk as development environments often contain more sensitive information than production systems. The attack vector is straightforward: a crafted HTTP request with a file:// URL in the filename parameter allows the attacker to specify the file to be read. There are no privilege requirements, making exploitation accessible to unauthenticated users.
This vulnerability was publicly disclosed on December 16, 2025. There is currently no indication of active exploitation in the wild, but the ease of exploitation and lack of authentication make it a potential target. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability is easily reproducible. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.54% (67% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-68155 is to immediately upgrade the @vitejs/plugin-rsc package to version 0.5.8 or later. This version includes a fix that prevents the arbitrary file access. If upgrading is not immediately feasible, consider restricting access to the /viterscfindSourceMapURL endpoint during development. This can be achieved through firewall rules or proxy configurations. Additionally, carefully review file permissions within the Node.js process to minimize the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to access the /viterscfindSourceMapURL endpoint with a file:// URL; the request should be denied.
Actualice el paquete `@vitejs/plugin-rsc` a la versión 0.5.8 o superior. Esto solucionará la vulnerabilidad de lectura arbitraria de archivos. Ejecute `npm install @vitejs/plugin-rsc@latest` o `yarn add @vitejs/plugin-rsc@latest` para actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68155 is a high-severity vulnerability in the @vitejs/plugin-rsc Vite plugin allowing unauthenticated attackers to read files during development. It impacts Vite projects using the RSC plugin.
You are affected if you are a developer using @vitejs/plugin-rsc in your Vite project during development (vite dev).
Upgrade the @vitejs/plugin-rsc package to version 0.5.8 or later. Restrict access to the /_vitersc_findSourceMapURL endpoint as a temporary workaround.
There is currently no evidence of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the official Vite documentation and release notes for updates regarding CVE-2025-68155: [https://vitejs.dev/](https://vitejs.dev/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.