CVE-2025-67489

Critical

Published: 09 December 2025

Published

09 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0031 53.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications…

that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation by updating the vulnerable @vitejs/plugin-rs package to version 0.5.6 or later to eliminate the unsafe dynamic imports enabling arbitrary RCE.

SC-7 Boundary Protection partial match

prevent

Enforces network boundary protections to block unauthorized access to the exposed development server, mitigating remote exploitation over the network.

CM-6 Configuration Settings partial match

prevent

Mandates secure configuration settings for Vite development servers, such as avoiding --host to bind only to localhost, reducing network exposure risk.

Security SummaryAI

CVE-2025-67489 is an arbitrary remote code execution vulnerability in the @vitejs/plugin-rs package, which provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are affected due to unsafe dynamic imports in server function APIs, including loadServerAction, decodeReply, and decodeAction. This issue arises specifically on the development server when the plugin is integrated into RSC applications that expose server function endpoints. The vulnerability is classified under CWE-94 (code injection) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Attackers with network access to the vulnerable development server can exploit this flaw to execute arbitrary code. Successful exploitation enables reading or modifying files, exfiltrating sensitive data such as source code, environment variables, and credentials, or pivoting to other internal services. While the vulnerability is confined to development servers, the risk escalates when developers use the vite --host flag to bind the server to all network interfaces, making it remotely accessible.

The issue is addressed in version 0.5.6 of @vitejs/plugin-rs. Developers should update to this version or later to mitigate the vulnerability. Additional details on the fix are provided in the GitHub security advisory (GHSA-j76j-5p5g-9wfr) and the associated commit (fe634b58210d0a4a146a7faae56cd71af3bb9af4).

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows arbitrary remote code execution on a network-exposed development server without authentication, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/vitejs/vite-plugin-react/commit/fe634b58210d0a4a146a7faae56cd71af3bb9af4
security-advisories@github.com
https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-j76j-5p5g-9wfr
security-advisories@github.com