CVE-2025-67489: @vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server

December 8, 2025 (updated December 9, 2025)

Arbitrary Remote Code Execution on development server via unsafe dynamic imports in @vitejs/plugin-rsc server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints.

References

github.com/advisories/GHSA-j76j-5p5g-9wfr
github.com/vitejs/vite-plugin-react
github.com/vitejs/vite-plugin-react/commit/fe634b58210d0a4a146a7faae56cd71af3bb9af4
github.com/vitejs/vite-plugin-react/security/advisories/GHSA-j76j-5p5g-9wfr
nvd.nist.gov/vuln/detail/CVE-2025-67489

Code Behaviors & Features

Detect and mitigate CVE-2025-67489 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →