## Summary Arbitrary Remote Code Execution on development server via unsafe dynamic imports in `@vitejs/plugin-rsc` server function APIs (`loadServerAction`, `decodeReply`, `decodeAction`) when integrated into RSC applications that expose server function endpoints. ## Impact Attackers with network access to the development server can execute arbitrary JavaScript code with Node.js privileges, allowing them to read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk …
GHSA-j76j-5p5g-9wfr: @vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
Arbitrary Remote Code Execution (RCE) in @vitejs/plugin-rsc via unsafe dynamic imports in server function APIs on development servers.