CVE-2025-67489
📋 TL;DR
CVE-2025-67489 allows remote attackers to execute arbitrary code on Vite development servers using vulnerable versions of @vitejs/plugin-rs. This affects developers using React Server Components with Vite who expose their development servers to network access. The vulnerability enables complete server compromise through unsafe dynamic imports in server function APIs.
💻 Affected Systems
- @vitejs/plugin-rs
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover allowing file system access, credential theft, source code exfiltration, and lateral movement to internal services.
Likely Case
Sensitive data exposure including environment variables, source code, and development credentials.
If Mitigated
Limited to local development environments with no network exposure.
🎯 Exploit Status
Exploitation requires network access to development server. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.5.6
Vendor Advisory: https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-j76j-5p5g-9wfr
Restart Required: Yes
Instructions:
1. Update package.json to specify '@vitejs/plugin-rs': '^0.5.6'. 2. Run 'npm update @vitejs/plugin-rs' or 'yarn upgrade @vitejs/plugin-rs'. 3. Restart development server.
🔧 Temporary Workarounds
Restrict Network Access
allPrevent exposure of development server to network
Remove '--host' flag from Vite dev command
Use 'vite' instead of 'vite --host'
Firewall Development Server
linuxBlock external access to development port
sudo ufw deny 5173/tcp
iptables -A INPUT -p tcp --dport 5173 -j DROP
🧯 If You Can't Patch
- Never expose development server to network (avoid 'vite --host')
- Use VPN or SSH tunneling for remote development access
🔍 How to Verify
Check if Vulnerable:
Check package.json for '@vitejs/plugin-rs' version <=0.5.5Check Version:
npm list @vitejs/plugin-rs | grep @vitejs/plugin-rsVerify Fix Applied:
Confirm package.json shows '@vitejs/plugin-rs': '^0.5.6' and run 'npm list @vitejs/plugin-rs'📡 Detection & Monitoring
Log Indicators:
- Unusual import patterns in server logs
- Unexpected file system access from development server
Network Indicators:
- External connections to development server port (typically 5173)
- Suspicious HTTP requests to server function endpoints
SIEM Query:
source="vite-dev-server" AND (event="import" OR event="fs_access") AND user!=expected_user