CVE-2025-67489

|
CVE-2025-67489 vulnerability security critical severity CVE database @vitejs/plugin-rs React Server Components RSC Remote Code Execution RCE

Summary

CVE-2025-67489 is a critical severity vulnerability affecting @vitejs/plugin-rs versions 0.5.5 and below. This vulnerability allows for arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs when integrated into React Server Components (RSC) applications that expose server function endpoints.

Technical Details

The vulnerability stems from the use of unsafe dynamic imports within the loadServerAction, decodeReply, and decodeAction server function APIs of @vitejs/plugin-rs. When an RSC application exposes server function endpoints, an attacker with network access to the development server can craft malicious requests that inject arbitrary code into these dynamic imports. This allows the attacker to execute arbitrary code on the server with the privileges of the Vite development server process.

The root cause is insufficient sanitization and validation of input parameters used in the dynamic import statements. This allows an attacker to bypass security checks and inject malicious code that is then executed by the server. The vulnerability is particularly dangerous because it allows for complete control of the development server, potentially leading to data breaches, system compromise, and lateral movement within the network.

Affected Products and Versions

  • @vitejs/plugin-rs versions 0.5.5 and below

Impact Assessment

Successful exploitation of CVE-2025-67489 can have severe consequences, including:

  • Remote Code Execution: Attackers can execute arbitrary code on the development server.
  • Data Breach: Sensitive data, such as source code, environment variables, and credentials, can be accessed and exfiltrated.
  • System Compromise: The entire development server can be compromised, allowing attackers to modify files, install malware, or pivot to other internal services.
  • Supply Chain Attacks: Compromised development environments can be used to inject malicious code into the application's codebase, potentially affecting end-users.

Remediation

Immediate Actions

  • Upgrade @vitejs/plugin-rs: Upgrade to version 0.5.6 or later, which contains the fix for this vulnerability.
  • Restrict Network Access: If possible, restrict network access to the development server to only trusted IP addresses or networks. Avoid using vite --host in production or untrusted environments.
  • Monitor Development Server: Monitor the development server for suspicious activity, such as unusual network connections or file modifications.

Long-term Solutions

  • Input Validation: Implement robust input validation and sanitization for all server function APIs to prevent code injection attacks.
  • Secure Dynamic Imports: Avoid using dynamic imports with user-supplied input. If dynamic imports are necessary, ensure that the input is properly validated and sanitized.
  • Regular Security Audits: Conduct regular security audits of the application and its dependencies to identify and address potential vulnerabilities.

References

Detection & Scanning

This vulnerability can be detected by analyzing network traffic for suspicious requests containing code injection attempts. Security scanners and penetration testing tools can also be used to identify vulnerable instances of @vitejs/plugin-rs.

Scan Your Website

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan