CVE-2025-67489

Name of the Vulnerable Software and Affected Versions @vitejs/plugin-rs versions 0.5.5 and below

Description The @vitejs/plugin-rs software, which provides React Server Components (RSC) support for Vite, contains a flaw that could allow for arbitrary remote code execution on the development server. This is due to unsafe dynamic imports within server function APIs – specifically loadServerAction, decodeReply, and decodeAction – when used with RSC applications that expose server function endpoints. An attacker with network access to the development server could potentially read or modify files, steal sensitive data like source code, environment variables, and credentials, or move to other internal services. The risk is heightened when the development server is exposed on all network interfaces using the vite --host command.

Recommendations Update @vitejs/plugin-rs to version 0.5.6 or later.