Severity: Critical
CVSS Score: 10
### Summary `@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r ### Impact Applications using affected versions of `@vitejs/plugin-rsc` are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability. ### Recommendations Upgrade immediately to `@vitejs/plugin-rsc@0.5.3` or later. ### Workarounds Applications not using server-side React or React Server Components are unaffected.