High severity7.5OSV Advisory· Published Dec 16, 2025· Updated Apr 15, 2026
CVE-2025-68155
CVE-2025-68155
Description
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the /__vite_rsc_findSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a file:// URL in the filename query parameter. Version 0.5.8 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@vitejs/plugin-rscnpm | < 0.5.8 | 0.5.8 |
Affected products
2- Range: plugin-react-oxc@0.1.1, plugin-react-oxc@0.2.0, plugin-react-oxc@0.2.1, …
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-g239-q96q-x4qmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68155ghsaADVISORY
- github.com/facebook/react/pull/29708nvdWEB
- github.com/facebook/react/pull/30741nvdWEB
- github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359dnvdWEB
- github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qmnvdWEB
News mentions
0No linked articles in our index yet.