CVE-2025-68155
Unknown Unknown - Not Provided
Unauthenticated Arbitrary File Read in @vitejs/plugin-rsc

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: GitHub, Inc.

Description
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68155
EUVD
EUVD-2025-203834
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vitejs plugin-rsc 0.5.8
vitejs plugin-rsc 0.5.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68155 is a vulnerability in the @vitejs/plugin-rsc package used with Vite during development mode. The vulnerability exists in the /__vite_rsc_findSourceMapURL HTTP endpoint, which accepts a filename parameter. If this filename starts with file://, it is converted to a local filesystem path and read without proper validation or restriction. This allows an unauthenticated attacker to read any file accessible to the Node.js process running the Vite dev server by sending a crafted HTTP request. The flaw is due to missing checks to ensure the file is within the project directory or a legitimate source file, enabling arbitrary file read. The issue is fixed in version 0.5.8 of the plugin. [4]

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to read sensitive files on the server running the Vite development environment. Attackers can access environment files (.env), SSH private keys, cloud credentials, database passwords, API keys, source code, and system files like /etc/passwd. This can lead to exposure of confidential information, unauthorized access to systems, and compromise of security credentials. The risk is especially high if the development server is exposed to untrusted networks or the internet. [4]

Detection Guidance

You can detect this vulnerability by sending an HTTP request to the `/__vite_rsc_findSourceMapURL` endpoint with a crafted `filename` query parameter using a `file://` URL to attempt to read arbitrary files. For example, using curl: `curl 'http://localhost:5173/__vite_rsc_findSourceMapURL?filename=file:///etc/passwd&environmentName=Server'`. If the server responds with the contents of the file, it is vulnerable. This command tests if arbitrary file read is possible via the vulnerable endpoint. [4]

Mitigation Strategies

Immediate mitigation steps include upgrading `@vitejs/plugin-rsc` to version 0.5.8 or later, where the vulnerability is fixed by validating file access requests. Additionally, avoid exposing the development server to untrusted networks (e.g., do not run with `--host 0.0.0.0` unless necessary) to reduce attack surface. These steps prevent unauthorized arbitrary file reads via the vulnerable endpoint. [2, 4]

Compliance Impact

This vulnerability allows unauthenticated attackers to read arbitrary files accessible to the Node.js process during development mode, including sensitive files such as environment files, private keys, cloud credentials, database passwords, API keys, and source code. Such unauthorized disclosure of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and security of personal and sensitive information. Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential data breaches and exposure of protected information. [4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart