Arbitrary File Read Vulnerability in @vitejs/plugin-rsc for Vite
CVE-2025-68155

7.5HIGH

Key Information:

Vendor

Vitejs

Status
Vite-plugin-react
Vendor
CVE Published:
16 December 2025

What is CVE-2025-68155?

The @vitejs/plugin-rsc, which provides support for React Server Components within Vite, has a critical vulnerability in versions before 0.5.8. This flaw allows attackers to exploit the /__vite_rsc_findSourceMapURL endpoint during development mode, permitting unauthorized access to any file that is reachable by the Node.js process. By crafting a specific HTTP request and manipulating the filename query parameter to include a file:// URL, an attacker can gain access to sensitive files, posing a significant threat to application security. Users are encouraged to update to version 0.5.8 or later, which resolves this issue.

Affected Version(s)

vite-plugin-react < 0.5.8

References

https://github.com/vitejs/vite-plugin-react/security/advi...
x_refsource_CONFIRM
https://github.com/facebook/react/pull/29708
x_refsource_MISC
https://github.com/facebook/react/pull/30741
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.