CVE-2025-68155
Published: 16 December 2025
Summary
CVE-2025-68155 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 20.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is an unauthenticated arbitrary file read flaw in the @vitejs/plugin-rsc package, which supplies React Server Components support for Vite. Prior to version 0.5.8, the development-mode endpoint /__vite_rsc_findSourceMapURL accepts a filename query parameter containing a file:// URL, enabling any file readable by the Node.js process to be retrieved. The issue is tracked as CWE-22 and CWE-73 and carries a CVSS 3.1 score of 7.5.
An attacker with network access to a development server running the vulnerable plugin can exploit the endpoint by sending a single crafted HTTP request. Successful exploitation yields read access to arbitrary files on the host, including source code, configuration, and other sensitive material accessible to the Node process, without authentication or user interaction.
The referenced GitHub security advisory GHSA-g239-q96q-x4qm and the commit 582fba0b9a52b13fcff6beaaa3bfbd532bc5359d indicate that the flaw is resolved in @vitejs/plugin-rsc 0.5.8; practitioners should upgrade immediately and avoid exposing development servers to untrusted networks.
EPSS remains low and unchanged at 0.0118 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-203834
Vulnerability details
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a…
more
crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.