Summary
@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory GHSA-fv66-9v8q-g76r
Impact
Applications using affected versions of @vitejs/plugin-rsc are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.
Recommendations
Upgrade immediately to @vitejs/[email protected] or later.
Workarounds
Applications not using server-side React or React Server Components are unaffected.
Summary
@vitejs/plugin-rscvendorsreact-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory GHSA-fv66-9v8q-g76rImpact
Applications using affected versions of
@vitejs/plugin-rscare vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.Recommendations
Upgrade immediately to
@vitejs/[email protected]or later.Workarounds
Applications not using server-side React or React Server Components are unaffected.