CVE-2025-68155 is a path traversal vulnerability (CWE-22) found in the @vitejs/plugin-rsc component of the vite-plugin-react package used with the Vite build tool. This vulnerability exists in versions prior to 0.5.8 and manifests in the /__vite_rsc_findSourceMapURL HTTP endpoint, which is intended to support React Server Components (RSC) during development. The flaw allows unauthenticated attackers to craft HTTP requests containing a file:// URL in the filename query parameter, enabling arbitrary file read access to any file accessible by the Node.js process on the server. Since this occurs in development mode, it is typically exposed on developer machines or development servers that may be accessible within internal networks or, if misconfigured, externally. The vulnerability does not require authentication or user interaction, making exploitation straightforward if the endpoint is reachable. The impact is primarily confidentiality loss, as attackers can read sensitive files such as environment variables, source code, or credentials. The vulnerability was assigned a CVSS 3.1 score of 7.5 (high severity) due to its network attack vector, lack of required privileges, and high confidentiality impact. The issue was addressed in vite-plugin-react version 0.5.8 by properly restricting file access and sanitizing input parameters to prevent path traversal. No known exploits have been reported in the wild as of the publication date. However, the risk remains significant for organizations using vulnerable versions in development environments accessible to untrusted users.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive development data. Exposure of source code, configuration files, API keys, or credentials could lead to further compromise, including intellectual property theft or escalation to production environments. Organizations using Vite and vite-plugin-react in their development pipelines, especially those with publicly accessible or poorly segmented development servers, are at risk. The impact is heightened for companies in sectors with strict data protection requirements such as finance, healthcare, and critical infrastructure, where leakage of sensitive information could have regulatory and reputational consequences. Additionally, the vulnerability could facilitate lateral movement within corporate networks if attackers gain access to internal development environments. Although the vulnerability does not affect production builds directly, the development environment exposure can be a stepping stone for more severe attacks.

The primary mitigation is to upgrade vite-plugin-react to version 0.5.8 or later, which contains the patch preventing path traversal. Organizations should audit their development environments to ensure no vulnerable versions are in use. Access to development servers running Vite should be strictly controlled and limited to trusted internal users, ideally isolated from external networks via VPNs or firewalls. Implement network segmentation to prevent unauthorized access to development tools. Additionally, monitor HTTP endpoints for suspicious requests containing file:// URLs or unusual query parameters. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) capable of detecting and blocking path traversal attempts. Developers should avoid exposing development servers publicly and use environment variables or secure vaults to manage sensitive data instead of relying on local files. Regularly review and update dependencies to incorporate security patches promptly.