CVE

GHSA-fmh4-wr37-44fp

React Server Components are Vulnerable to RCE

CVE

GHSA-fmh4-wr37-44fp

React Server Components are Vulnerable to RCE

Summary

@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

Impact

Applications using affected versions of @vitejs/plugin-rsc are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.

Recommendations

Upgrade immediately to @vitejs/plugin-rsc@0.5.3 or later.

Workarounds

Applications not using server-side React or React Server Components are unaffected.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r, https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp, https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp, https://github.com/vitejs/vite-plugin-react, https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Severity

10

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

EPSS Percentile

Introduced Version

Fix Available

0.5.3

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

GHSA-fmh4-wr37-44fp