Vulnerability in Stylex Project

### Describe the issue

While working on the Stylex project, I uploaded the package files to Vulert for a dependency scan. The scan flagged a critical RCE vulnerability [CVE-2025-67489](https://vulert.com/vuln-db/CVE-2025-67489) affecting @vitejs/plugin-rsc.
The issue is caused by unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction), allowing attackers with network access to execute arbitrary JavaScript code on the Node.js server.

[CVE Report](https://vulert.com/vuln-scan/list/97bde66f-7074-4823-9616-f67c5cdb556c?sort_order=desc&sort_by=created_at)
[CVE Link](https://vulert.com/vuln-db/CVE-2025-67489)


### Expected behavior

The package should not ship with vulnerable server APIs that allow RCE.

### Steps to reproduce

Upload the project’s package.json and lock file to [Vulert](https://vulert.com/).
Run a vulnerability scan.
Observe that Vulert reports CVE-2025-67489 for @vitejs/plugin-rsc, indicating an RCE risk caused by unsafe dynamic imports.



### Test case

_No response_

### Additional comments

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerability in Stylex Project #1385

Describe the issue

Expected behavior

Steps to reproduce

Test case

Additional comments

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerability in Stylex Project #1385

Description

Describe the issue

Expected behavior

Steps to reproduce

Test case

Additional comments

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions