Vite Plugin React has a Denial of Service Vulnerability in React Server Components

Impact

@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.3. See details in React repository's advisory GHSA-7gmr-mq3h-m5h9

Patches

Upgrade immediately to @vitejs/[email protected] or later.

References

GHSA-cpqf-f22c-r95x

hi-ogawa published to vitejs/vite-plugin-react Dec 12, 2025

Published to the GitHub Advisory Database Dec 12, 2025

Reviewed Dec 12, 2025

Last updated Dec 12, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

Uncontrolled Resource Consumption

Deserialization of Untrusted Data

Dependency on Vulnerable Third-Party Component

CVE ID

GHSA ID

Source code

Uh oh!