Описание
React Server Components are Vulnerable to RCE
Summary
@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
Impact
Applications using affected versions of @vitejs/plugin-rsc are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.
Recommendations
Upgrade immediately to @vitejs/plugin-rsc@0.5.3 or later.
Workarounds
Applications not using server-side React or React Server Components are unaffected.
Ссылки
- https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
- https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
- https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Пакеты
@vitejs/plugin-rsc
<= 0.5.2
0.5.3
10 Critical
CVSS3
Дефекты
10 Critical
CVSS3