Security Advisory: Development Mode RSC Handler Vulnerability

[MichaelAdamGroberman]

Security Advisory: Development Mode RSC Handler Vulnerability

Summary

A security vulnerability was discovered and patched in Waku's development mode RSC (React Server Components) handler that allowed unauthenticated attackers to import and invoke arbitrary Node.js built-in modules, leading to system information disclosure.

Severity

• CVSS Score: 7.5 (High)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• CWE: CWE-94 (Code Injection), CWE-200 (Information Exposure)

Affected Versions

• Waku versions <= 0.21.0

Description

In development mode, Waku's request handler passed user-controlled file paths directly to Vite's ssrLoadModule() without validation. This allowed attackers to request arbitrary Node.js modules via the RSC endpoint.

Attack endpoint pattern: /RSC/F/{module}/{export}.txt

Example attack:

curl -s 'http://localhost:3005/RSC/F/node:os/networkInterfaces.txt' -X POST

Information Disclosed

| Category   | Data Leaked                                 |
|------------|---------------------------------------------|
| Network    | IP addresses, MAC addresses, VPN interfaces |
| User       | UID, username, home directory, shell        |
| Hardware   | CPU model, core count                       |
| Filesystem | Working directory paths                     |

Mitigation

- Update Waku to the latest version
- General guidance: Never expose development servers to untrusted networks

Timeline

- 2025-12-12: Vulnerability discovered and reported
- 2025-12-12: Patch developed and released

Credit

Discovered by Michael Groberman

---
Thank you to the Waku team for the immediate response and patch!

[dai-shi]

Waku versions <= 0.21.0

I suppose later versions have the same logic. Could you confirm that?

[abhigyan17]

This is a good catch and a critical reminder about development mode risks. The CVSS 7.5 rating is appropriate given the code injection potential. One thing worth emphasizing in the advisory is that development environments often lack the same monitoring and access controls as production, making them attractive targets for attackers looking to establish initial access.

For teams using Waku, I'd recommend treating dev mode servers similar to staging environments where possible - enforce authentication, limit access from untrusted networks, and monitor for unauthorized module imports. Even in development, seeing unexpected Node.js require calls should trigger investigation.

Also valuable to run SAST tools on code that imports external modules in development mode. Tools can flag potentially dangerous patterns before they reach runtime. The fact that this required unauthenticated access makes it particularly concerning - securing the dev server boundary is critical.

[MichaelAdamGroberman]

Yes On Dec 22, 2025, at 11:05 AM, its-htz (Hacksmith Tech Zone) ***@***.***> wrote: This is a good catch and a critical reminder about development mode risks. The CVSS 7.5 rating is appropriate given the code injection potential. One thing worth emphasizing in the advisory is that development environments often lack the same monitoring and access controls as production, making them attractive targets for attackers looking to establish initial access. For teams using Waku, I'd recommend treating dev mode servers similar to staging environments where possible - enforce authentication, limit access from untrusted networks, and monitor for unauthorized module imports. Even in development, seeing unexpected Node.js require calls should trigger investigation. Also valuable to run SAST tools on code that imports external modules in development mode. Tools can flag potentially dangerous patterns before they reach runtime. The fact that this required unauthenticated access makes it particularly concerning - securing the dev server boundary is critical. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[MichaelAdamGroberman]

Yes, everything before the patched version.

…

On Dec 12, 2025, at 9:09 PM, Daishi Kato ***@***.***> wrote: Waku versions <= 0.21.0 I suppose later versions have the same logic. Could you confirm that? — Reply to this email directly, view it on GitHub <#1841 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ATPQBMGDUTBBE6C6XNEYLGD4BNYMTAVCNFSM6AAAAACO5CVW32VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTKMRUGQ4TINI>. You are receiving this because you authored the thread.