CVE-2025-68155: @vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
The /__vite_rsc_findSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a file:// URL in the filename query parameter.
Severity: High
Attack Vector: Network
Privileges Required: None
Scope: Development mode only (vite dev)
References
- github.com/advisories/GHSA-g239-q96q-x4qm
- github.com/facebook/react/pull/29708
- github.com/facebook/react/pull/30741
- github.com/vitejs/vite-plugin-react
- github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d
- github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm
- nvd.nist.gov/vuln/detail/CVE-2025-68155
Code Behaviors & Features
Detect and mitigate CVE-2025-68155 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →