PT-2025-51138 — Deserialization of Untrusted Data in Npm @Vitejs/Plugin-Rs

PT-2025-51138 · Npm · @Vitejs/Plugin-Rs

Published

2025-12-03

Updated

2025-12-03

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

Impact

Applications using affected versions of @vitejs/plugin-rsc are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.

Recommendations

Upgrade immediately to @vitejs/plugin-rsc@0.5.3 or later.

Workarounds

Applications not using server-side React or React Server Components are unaffected.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

GHSA-FMH4-WR37-44FP

Affected Products

@Vitejs/Plugin-Rs