High severity7.5OSV Advisory· Published Dec 16, 2025· Updated Apr 15, 2026
CVE-2025-68155
CVE-2025-68155
Description
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the /__vite_rsc_findSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a file:// URL in the filename query parameter. Version 0.5.8 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@vitejs/plugin-rscnpm | < 0.5.8 | 0.5.8 |
Affected products
1- Range: plugin-react-oxc@0.1.1, plugin-react-oxc@0.2.0, plugin-react-oxc@0.2.1, …
Patches
1582fba0b9a52fix(rsc): validate `findSourceMapURL` request (#1024)
3 files changed · +22 −2
packages/plugin-rsc/e2e/basic.test.ts+11 −0 modified@@ -20,6 +20,17 @@ import path from 'node:path' test.describe('dev-default', () => { const f = useFixture({ root: 'examples/basic', mode: 'dev' }) defineTest(f) + + test('validate findSourceMapURL', async () => { + const requestUrl = new URL(f.url('__vite_rsc_findSourceMapURL')) + requestUrl.searchParams.set( + 'filename', + new URL('../examples/basic/.env', import.meta.url).href, + ) + requestUrl.searchParams.set('environmentName', 'Server') + const response = await fetch(requestUrl) + expect(response.status).toBe(404) + }) }) test.describe('dev-initial', () => {
packages/plugin-rsc/examples/basic/.env+1 −0 added@@ -0,0 +1 @@ +TEST_ENV=ok
packages/plugin-rsc/src/plugins/find-source-map-url.ts+10 −2 modified@@ -1,5 +1,10 @@ import { fileURLToPath } from 'node:url' -import type { EnvironmentModuleNode, Plugin, ViteDevServer } from 'vite' +import { + isFileLoadingAllowed, + type EnvironmentModuleNode, + type Plugin, + type ViteDevServer, +} from 'vite' import fs from 'node:fs' // @@ -48,7 +53,10 @@ async function findSourceMapURL( // this is likely server external (i.e. outside of Vite processing) if (filename.startsWith('file://')) { filename = fileURLToPath(filename) - if (fs.existsSync(filename)) { + if ( + isFileLoadingAllowed(server.config, filename) && + fs.existsSync(filename) + ) { // line-by-line identity source map const content = fs.readFileSync(filename, 'utf-8') return {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-g239-q96q-x4qmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68155ghsaADVISORY
- github.com/facebook/react/pull/29708nvdWEB
- github.com/facebook/react/pull/30741nvdWEB
- github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359dnvdWEB
- github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qmnvdWEB
News mentions
0No linked articles in our index yet.