CVE-2025-68155
📋 TL;DR
This vulnerability in @vitejs/plugin-rsc allows unauthenticated attackers to read arbitrary files accessible to the Node.js process during development mode. Attackers can exploit this by sending crafted HTTP requests with file:// URLs to the /__vite_rsc_findSourceMapURL endpoint. Only developers using affected versions of @vitejs/plugin-rsc in development environments are impacted.
💻 Affected Systems
- @vitejs/plugin-rsc
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of development environment including source code, configuration files, secrets, and credentials stored in files accessible to the Node.js process.
Likely Case
Exfiltration of sensitive development files including API keys, database credentials, and proprietary source code.
If Mitigated
Limited impact if development servers are isolated from production data and sensitive files are properly secured.
🎯 Exploit Status
Simple HTTP request with file:// URL parameter required
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.5.8
Vendor Advisory: https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm
Restart Required: Yes
Instructions:
1. Update package.json to specify @vitejs/plugin-rsc version 0.5.8 or higher. 2. Run npm update @vitejs/plugin-rsc or yarn upgrade @vitejs/plugin-rsc. 3. Restart development server.
🔧 Temporary Workarounds
Disable development server exposure
allEnsure development servers are not exposed to untrusted networks
Use localhost binding only: vite --host localhost
Configure firewall to block external access to dev port
Network isolation
allRun development environment in isolated network segment
Use Docker with network isolation
Configure VPN for development access only
🧯 If You Can't Patch
- Restrict development server access to localhost only
- Implement network segmentation to isolate development environments
🔍 How to Verify
Check if Vulnerable:
Check package.json for @vitejs/plugin-rsc version <0.5.8 and verify development server is runningCheck Version:
npm list @vitejs/plugin-rscVerify Fix Applied:
Confirm @vitejs/plugin-rsc version is 0.5.8 or higher in package.json and node_modules📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /__vite_rsc_findSourceMapURL with file:// parameters
- Unusual file read operations from Node.js process
Network Indicators:
- HTTP GET requests to development port with file:// URLs in query parameters
SIEM Query:
http.url:"*__vite_rsc_findSourceMapURL*" AND http.query:"*file://*"