VYPR
High severity7.5OSV Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-68155

CVE-2025-68155

Description

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the /__vite_rsc_findSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a file:// URL in the filename query parameter. Version 0.5.8 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@vitejs/plugin-rscnpm
< 0.5.80.5.8

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.