CVE-2025-68155
Unauthenticated Arbitrary File Read in @vitejs/plugin-rsc
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vitejs | plugin-rsc | 0.5.8 |
| vitejs | plugin-rsc | 0.5.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68155 is a vulnerability in the @vitejs/plugin-rsc package used with Vite during development mode. The vulnerability exists in the /__vite_rsc_findSourceMapURL HTTP endpoint, which accepts a filename parameter. If this filename starts with file://, it is converted to a local filesystem path and read without proper validation or restriction. This allows an unauthenticated attacker to read any file accessible to the Node.js process running the Vite dev server by sending a crafted HTTP request. The flaw is due to missing checks to ensure the file is within the project directory or a legitimate source file, enabling arbitrary file read. The issue is fixed in version 0.5.8 of the plugin. [4]
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing attackers to read sensitive files on the server running the Vite development environment. Attackers can access environment files (.env), SSH private keys, cloud credentials, database passwords, API keys, source code, and system files like /etc/passwd. This can lead to exposure of confidential information, unauthorized access to systems, and compromise of security credentials. The risk is especially high if the development server is exposed to untrusted networks or the internet. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by sending an HTTP request to the `/__vite_rsc_findSourceMapURL` endpoint with a crafted `filename` query parameter using a `file://` URL to attempt to read arbitrary files. For example, using curl: `curl 'http://localhost:5173/__vite_rsc_findSourceMapURL?filename=file:///etc/passwd&environmentName=Server'`. If the server responds with the contents of the file, it is vulnerable. This command tests if arbitrary file read is possible via the vulnerable endpoint. [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading `@vitejs/plugin-rsc` to version 0.5.8 or later, where the vulnerability is fixed by validating file access requests. Additionally, avoid exposing the development server to untrusted networks (e.g., do not run with `--host 0.0.0.0` unless necessary) to reduce attack surface. These steps prevent unauthorized arbitrary file reads via the vulnerable endpoint. [2, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to read arbitrary files accessible to the Node.js process during development mode, including sensitive files such as environment files, private keys, cloud credentials, database passwords, API keys, and source code. Such unauthorized disclosure of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and security of personal and sensitive information. Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential data breaches and exposure of protected information. [4]