GHSA-fmh4-wr37-44fp

Source

https://github.com/advisories/GHSA-fmh4-wr37-44fp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fmh4-wr37-44fp/GHSA-fmh4-wr37-44fp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fmh4-wr37-44fp

Published

2025-12-03T19:07:52Z

Modified

2025-12-11T18:28:39.190722Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

React Server Components are Vulnerable to RCE

Details

Summary

@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

Impact

Applications using affected versions of @vitejs/plugin-rsc are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.

Recommendations

Upgrade immediately to @vitejs/plugin-rsc@0.5.3 or later.

Workarounds

Applications not using server-side React or React Server Components are unaffected.

Database specific

{
    "github_reviewed_at": "2025-12-03T19:07:52Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

npm / @vitejs/plugin-rsc

Package

Name: @vitejs/plugin-rsc; View open source insights on deps.dev
Purl: pkg:npm/%40vitejs/plugin-rsc

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fmh4-wr37-44fp/GHSA-fmh4-wr37-44fp.json"

last_known_affected_version_range

"<= 0.5.2"