Listen to this Post
The vulnerability exists within the `@vitejs/plugin-rsc` plugin’s integration of `react-server-dom-webpack` for processing React Server Components (RSCs). In affected versions prior to `@vitejs/[email protected]` and [email protected], the server-side component deserialization logic does not properly validate or sanitize the structure of incoming RSC payloads. A maliciously crafted RSC response can cause the deserializer to enter an infinite processing loop or allocate excessive memory when parsing specific nested or recursive component tree structures. This occurs because the decoder fails to enforce limits on the depth or complexity of the object graph being reconstructed from the wire format, leading to uncontrolled resource consumption on the Vite development server or production SSR environment, resulting in a Denial of Service condition.
Platform: Vite Plugin React
Version: Prior to 0.5.7
Vulnerability: Denial of Service
Severity: High
date: Dec 12 2025
Prediction: Patched Dec 12 2025
What Undercode Say:
npm list @vitejs/plugin-rsc react-server-dom-webpack
Check for vulnerable versions grep '"@vitejs/plugin-rsc"' package.json | grep -E '"(0.5.[0-6]|0.[0-4].)'
// Example vulnerable dependency block
"devDependencies": {
"@vitejs/plugin-rsc": "^0.5.0"
}
Remediation command npm update @vitejs/plugin-rsc react-server-dom-webpack
How Exploit:
Craft malicious RSC payload with deeply nested circular references or excessive component recursion. Send payload to Vite dev server RSC endpoint. Server enters infinite parsing loop, consuming 100% CPU and memory, causing service outage.
Protection from this CVE:
Update `@vitejs/plugin-rsc` to version `0.5.7` or later. Update `react-server-dom-webpack` to `19.2.3` or later. Implement network-level request size and rate limiting for RSC endpoints.
Impact:
Complete development server denial-of-service. Potential production SSR service disruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
