Detections
Analytics

SCA: security update for @vitejs/plugin-rsc (GHSA-j76j-5p5g-9wfr)

critical Tenable Self-Hosted Container Security Plugin ID 436296

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are
 vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in
 server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications
 that expose server function endpoints. Attackers with network access to the development server can
 read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot
 to other internal services. While this affects development servers only, the risk increases when using
 vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.
 (CVE-2025-67489)

See Also

https://github.com/advisories/GHSA-j76j-5p5g-9wfr

Plugin Details

Severity: Critical

ID: 436296

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 12/9/2025

Updated: 6/1/2026

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-67489

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/8/2025

Vulnerability Publication Date: 12/8/2025

Reference Information

CVE: CVE-2025-67489

cwe: CWE-94