@vitejs/plugin-rsc Arbitrary File Read Vulnerability in Development Mode

A vulnerability in the @vitejs/plugin-rsc package, prior to version 0.5.8, allows for unauthenticated arbitrary file reading during development. This issue arises in the '/__vite_rsc_findSourceMapURL' endpoint, where a crafted HTTP request can be used to access any file available to the Node.js process. The vulnerability is triggered by including a 'file://' URL in the 'filename' query parameter. This flaw affects all developers using the plugin in Vite's development environment.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files, such as environment files, SSH keys, cloud credentials, database passwords, API keys, source code from other projects, and system files like '/etc/passwd' or '/etc/shadow'.

Reproduction

To reproduce this vulnerability, run a Vite development server with the @vitejs/plugin-rsc plugin enabled. Then, send a request to the '/__vite_rsc_findSourceMapURL' endpoint with a 'file://' URL pointing to a file that should be accessible to the Node.js process. If the file exists and is readable, its contents will be returned in the response, demonstrating the arbitrary file read capability.

Remediation

Users can update to @vitejs/plugin-rsc version 0.5.8 or later, where this vulnerability has been fixed.