@vitejs/plugin-rs is a plugin for Vite, a popular front-end build tool. It provides support for React Server Components (RSC). This vulnerability allows attackers to execute arbitrary remote code on the development server through unsafe dynamic imports in server function APIs. If an attacker gains access to the development server, they can read/modify files, exfiltrate sensitive data, or pivot to other internal services.
Affected versions: 0.5.5 If you don't recognise this software, you're probably not affected.
Upgrade to @vitejs/plugin-rs version 0.5.6 or later: https://github.com/vitejs/vite-plugin-react/releases/tag/0.5.6
- Immediate mitigations:
- Restrict network access to your development server (firewall it from the public internet)
- Audit admin account activity for suspicious access patterns
- Monitor for unauthorized token creation