A critical remote code execution (RCE) vulnerability, identified as CVE-2025-67489, has been discovered in the @vitejs/plugin-rsc open-source component. This flaw stems from the use of unsafe dynamic imports within RSC server function APIs, specifically impacting development server environments. Exploitation of this vulnerability could allow an attacker to execute arbitrary code remotely on the affected development server.

Technical Details#

  • CVE ID: CVE-2025-67489
  • Published: 2025-12-10 11:09 UTC
  • Product: Unknown
  • Risk Score: 5.3/10
  • Severity: CRITICAL
  • Original Source: View on Google_OSV

Remediation#

Organizations utilizing @vitejs/plugin-rsc should monitor for official patches and update their installations immediately upon release. Given that this vulnerability impacts the development server, it is strongly advised against exposing development environments publicly or deploying them to production. As a best practice, developers should review and secure their usage of dynamic imports within RSC server function APIs. If an immediate patch is unavailable, consider temporarily disabling or restricting access to affected development server functionalities.

Disclaimer: This summary was generated by an Artificial Intelligence system and has not been verified by a human expert. Use at your own risk.

📢 Share this Alert#