Insecure deserialization In @vitejs/plugin-rsc
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm default | @vitejs/plugin-rsc | 0.5.3 |
Description
React Server Components are Vulnerable to RCE
Summary
@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
Impact
Applications using affected versions of @vitejs/plugin-rsc are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.
Recommendations
Upgrade immediately to @vitejs/plugin-rsc@0.5.3 or later.
Workarounds
Applications not using server-side React or React Server Components are unaffected.
Mitigation
• npm @vitejs/plugin-rsc: Upgrade to version(s) 0.5.3 or higher.
References
• GitHub Advisory DatabaseSeverity v4.0
8.4
High
Fluid Attacks ID
FLAT-PFMJV
CVE ID
GHSA-fmh4-wr37-44fpCWE ID(s)
CWE-502Alternative ID
N/A
EPSS
N/A
Percentile
N/A
Source
GitHub Advisory Database
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.