CVE-2025-68155

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68155
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68155.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68155
Aliases
Published
2025-12-16T18:20:51.428Z
Modified
2026-03-14T12:46:03.499274Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
@vitejs/plugin-rsc has Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint on Development
Details

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the /__vite_rsc_findSourceMapURL endpoint in @vitejs/plugin-rsc allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a file:// URL in the filename query parameter. Version 0.5.8 fixes the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-22",
        "CWE-73"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68155.json"
}
References

Affected packages

Git / github.com/vitejs/vite-plugin-react

Affected ranges

Type
GIT
Repo
https://github.com/vitejs/vite-plugin-react
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
604c3a24e319dc7e8aa8f2111e56d6fef4348cb6

Affected versions

plugin-react-oxc@0.*
plugin-react-oxc@0.1.1
plugin-react-oxc@0.2.0
plugin-react-oxc@0.2.1
plugin-react-oxc@0.2.2
plugin-react-oxc@0.2.3
plugin-react-oxc@0.3.0
plugin-react-oxc@0.4.0
plugin-react-oxc@0.4.0-beta.0
plugin-react-oxc@0.4.1
plugin-react-oxc@0.4.2
plugin-react-oxc@0.4.3
plugin-react-swc@3.*
plugin-react-swc@3.10.0
plugin-react-swc@3.10.1
plugin-react-swc@3.10.2
plugin-react-swc@3.11.0
plugin-react-swc@3.9.0
plugin-react-swc@3.9.0-beta.0
plugin-react-swc@3.9.0-beta.2
plugin-react-swc@3.9.0-beta.3
plugin-react-swc@4.*
plugin-react-swc@4.0.0
plugin-react-swc@4.0.0-beta.0
plugin-react-swc@4.0.1
plugin-react-swc@4.1.0
plugin-react-swc@4.2.0
plugin-react-swc@4.2.1
plugin-react-swc@4.2.2
plugin-react@3.*
plugin-react@3.0.0
plugin-react@3.0.0-alpha.2
plugin-react@3.0.0-beta.0
plugin-react@3.0.1
plugin-react@3.1.0
plugin-react@3.1.0-beta.0
plugin-react@4.*
plugin-react@4.0.0
plugin-react@4.0.0-beta.0
plugin-react@4.0.0-beta.1
plugin-react@4.0.1
plugin-react@4.0.2
plugin-react@4.0.3
plugin-react@4.0.4
plugin-react@4.1.0
plugin-react@4.1.1
plugin-react@4.2.0
plugin-react@4.2.1
plugin-react@4.3.0
plugin-react@4.3.1
plugin-react@4.3.2
plugin-react@4.3.3
plugin-react@4.3.4
plugin-react@4.4.0
plugin-react@4.4.0-beta.0
plugin-react@4.4.0-beta.1
plugin-react@4.4.0-beta.2
plugin-react@4.4.1
plugin-react@4.5.0
plugin-react@4.5.1
plugin-react@4.5.2
plugin-react@4.6.0
plugin-react@4.7.0
plugin-react@5.*
plugin-react@5.0.0
plugin-react@5.0.0-beta.0
plugin-react@5.0.1
plugin-react@5.0.2
plugin-react@5.0.3
plugin-react@5.0.4
plugin-react@5.1.0
plugin-react@5.1.1
plugin-react@5.1.2
plugin-rsc@0.*
plugin-rsc@0.4.10
plugin-rsc@0.4.11
plugin-rsc@0.4.12
plugin-rsc@0.4.13
plugin-rsc@0.4.14
plugin-rsc@0.4.15
plugin-rsc@0.4.16
plugin-rsc@0.4.17
plugin-rsc@0.4.18
plugin-rsc@0.4.19
plugin-rsc@0.4.20
plugin-rsc@0.4.21
plugin-rsc@0.4.22
plugin-rsc@0.4.23
plugin-rsc@0.4.24
plugin-rsc@0.4.25
plugin-rsc@0.4.26
plugin-rsc@0.4.27
plugin-rsc@0.4.28
plugin-rsc@0.4.29
plugin-rsc@0.4.30
plugin-rsc@0.4.31
plugin-rsc@0.4.32
plugin-rsc@0.4.33
plugin-rsc@0.4.34
plugin-rsc@0.5.0
plugin-rsc@0.5.1
plugin-rsc@0.5.2
plugin-rsc@0.5.3
plugin-rsc@0.5.4
plugin-rsc@0.5.5
plugin-rsc@0.5.6
plugin-rsc@0.5.7
v3.*
v3.9.0-beta.2
v4.*
v4.0.2
v4.0.3
v4.0.4
v4.1.0
v4.1.1
v4.2.0
v4.2.1
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.4.0-beta.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68155.json"