@vitejs/plugin-rsc Remote Code Execution Vulnerability in React Server Components Support

A remote code execution vulnerability has been identified in @vitejs/plugin-rsc, which provides support for React Server Components (RSC) in Vite. This vulnerability affects versions 0.5.5 and prior, allowing arbitrary code execution on the development server. The issue arises from unsafe dynamic imports in server function APIs, such as loadServerAction, decodeReply, and decodeAction, when used in RSC applications that expose server function endpoints. Attackers with network access to the development server can exploit this vulnerability to execute arbitrary JavaScript code with Node.js privileges. This could lead to unauthorized access or modification of files, exfiltration of sensitive data like source code, environment variables, and credentials, or pivoting to other internal services. The vulnerability is particularly concerning when the development server is exposed on all network interfaces using 'vite --host'.

Impact

Exploitation of this vulnerability allows for arbitrary remote code execution on the development server, with the executed code running in a Node.js environment. This could result in unauthorized file access or modifications, leakage of sensitive information such as source code and credentials, or unauthorized access to other internal services.

Reproduction

To reproduce this vulnerability, set up a Vite development server using @vitejs/plugin-rsc version 0.5.5 or earlier. Once the server is running, send a POST request to the server function endpoint with a payload that includes a data URL as a reference. The server will execute the code included in the data URL, demonstrating the vulnerability.

Remediation

Users can upgrade to @vitejs/plugin-rsc version 0.5.6 or later to address this vulnerability.