Cyber Resilience

CVE-2025-68155

High

Published: 16 December 2025

Published
16 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0118 79.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68155 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 20.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an unauthenticated arbitrary file read flaw in the @vitejs/plugin-rsc package, which supplies React Server Components support for Vite. Prior to version 0.5.8, the development-mode endpoint /__vite_rsc_findSourceMapURL accepts a filename query parameter containing a file:// URL, enabling any file readable by the Node.js process to be retrieved. The issue is tracked as CWE-22 and CWE-73 and carries a CVSS 3.1 score of 7.5.

An attacker with network access to a development server running the vulnerable plugin can exploit the endpoint by sending a single crafted HTTP request. Successful exploitation yields read access to arbitrary files on the host, including source code, configuration, and other sensitive material accessible to the Node process, without authentication or user interaction.

The referenced GitHub security advisory GHSA-g239-q96q-x4qm and the commit 582fba0b9a52b13fcff6beaaa3bfbd532bc5359d indicate that the flaw is resolved in @vitejs/plugin-rsc 0.5.8; practitioners should upgrade immediately and avoid exposing development servers to untrusted networks.

EPSS remains low and unchanged at 0.0118 with no observed rise after disclosure.

EU & UK References

Vulnerability details

@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a…

more

crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22 CWE-73

Validates pathnames and filenames to prevent traversal outside intended directories.

References