logo

Database

Insecure deserialization In @vitejs/plugin-rsc

Description

React Server Components are Vulnerable to RCE

Summary

@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

Impact

Applications using affected versions of @vitejs/plugin-rsc are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.

Recommendations

Upgrade immediately to @vitejs/[email protected] or later.

Workarounds

Applications not using server-side React or React Server Components are unaffected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-fv66-9v8q-g76r2. GHSA-9qr9-h5gf-34mp3. GHSA-fmh4-wr37-44fp4. GCVE-GHSA-fmh4-wr37-44fp

References

1. https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r2. https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp3. https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp4. https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-PFMJV – Vulnerability | Fluid Attacks Database