A critical remote code execution (RCE) vulnerability exists in the @vitejs/plugin-rs component, affecting development servers in multiple products. An attacker with network access to an exposed development server can take full control of the system, leading to the theft of source code, credentials, and potential pivots into the broader internal network. Due to the critical severity (CVSS 9.8), immediate patching is required to prevent a complete compromise of development environments.

The vulnerability is an arbitrary remote code execution flaw within the @vitejs/plugin-rs Vite plugin. It stems from the unsafe handling of dynamic imports in server function APIs, specifically loadServerAction, decodeReply, and decodeAction. An unauthenticated attacker with network access to the Vite development server can craft malicious requests to these endpoints, causing the server to import and execute arbitrary code. This allows the attacker to read, write, or delete files on the server, exfiltrate sensitive data such as source code and environment variables, and use the compromised machine as a staging point for further attacks on the internal network. The risk is significantly amplified when the development server is configured to be accessible on the network (e.g., using the vite --host command).

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would result in a complete compromise of the affected development environment. The business impact includes the potential for significant intellectual property theft through source code exfiltration, exposure of sensitive credentials (API keys, database passwords, private certificates) stored in environment variables, and reputational damage. Furthermore, a compromised development server can serve as an entry point for an attacker to pivot into the corporate network, potentially leading to a wider, more damaging breach of production systems and corporate data.

Immediate Action: Immediately identify all development projects using the @vitejs/plugin-rs component and update it to the fixed version 0.5.6 or later. After patching, monitor server access logs for any unusual or malicious requests targeting server function endpoints that may indicate prior exploitation attempts.

Proactive Monitoring: Implement enhanced monitoring on development servers. Review web server logs for suspicious requests containing path traversal sequences or unexpected dynamic import syntax targeting the loadServerAction, decodeReply, or decodeAction APIs. Monitor for anomalous outbound network traffic from development servers, which could signify data exfiltration or command-and-control communication. Use file integrity monitoring to detect unauthorized changes to source code or system files.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Network Segmentation: Use firewalls to restrict all network access to Vite development servers, ensuring they are only reachable from trusted IP addresses (e.g., corporate VPN, specific developer workstations).
• Restrict Server Binding: Enforce a policy prohibiting developers from using the --host flag or configuring Vite to listen on all network interfaces (0.0.0.0).
• Principle of Least Privilege: Ensure development servers are not run with administrative or root privileges to limit the potential impact of a code execution exploit.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability poses a severe and immediate risk to the organization's intellectual property and network security. We strongly recommend that all development teams immediately audit their projects for the vulnerable @vitejs/plugin-rs component and update it to version 0.5.6 or later with the highest priority. Although this CVE is not currently on the CISA KEV list, its high severity makes it a prime candidate for future inclusion. Organizations should also review and enforce security policies for development environments to prevent unnecessary network exposure of developer tools.