103 matches found
PT-2026-26681
Name of the Vulnerable Software and Affected Versions Effect versions prior to 3.20.0 @effect/rpc versions prior to 0.72.1 @effect/platform versions prior to 0.94.2 Description Effect is a TypeScript framework used for building TypeScript applications. A flaw exists in versions prior to 3.20.0,...
CVE-2026-27979
A denial of service flaw has been discovered in Next.js. A request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode...
CVE-2026-27979
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...
CVE-2026-27979 Next.js: Unbounded postponed resume buffering can lead to DoS
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...
CVE-2026-27979
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...
CVE-2026-27979
Next.js CVE-2026-27979 affects Next.js 16.0.1 through 16.1.6 in non-minimal deployments with Partial Prerendering enabled. A request containing the next-resume: 1 header can cause unbounded postponed-body buffering, consuming memory and enabling DoS. The issue is fixed in 16.1.7 by enforcing size...
CVE-2026-27979 Next.js: Unbounded postponed resume buffering can lead to DoS
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...
Next.js: Unbounded postponed resume buffering can lead to DoS
Summary A request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments...
PT-2026-25969
Name of the Vulnerable Software and Affected Versions Next.js versions 16.0.1 through 16.1.6 Description Next.js, a React framework for building full-stack web applications, is affected by an issue where requests containing the next-resume: 1 header can lead to excessive memory usage and potentia...
Exploit for Deserialization of Untrusted Data in Facebook React
RSC Sentinel CVE-2025-55182 Next.js / React Server Components...
GHSA-H25M-26QC-WCJF Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864. A specially crafted HTTP...
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864. A specially crafted HTTP...
Exploit for Deserialization of Untrusted Data in Facebook React
CyberSec Blog CTF - React2Shell PoC Ce dépôt fournit un envir...
Malicious Package
Overview shopify-app-react-router is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
MAL-2025-192977 Malicious code in shopify-app-react-router (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d58b68abe183faeee5b24e4b524d982d1c78881c8d0c48dd847411bf8fc087e6 The package shopify-app-react-router was found to contain malicious code. Source: ghsa-malware...
Exploit for Deserialization of Untrusted Data in Facebook React
🚨 NextRce — CVE-2025-55182 Next.js / React Server Components...
CVE-2025-68130
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router...
Exploit for Deserialization of Untrusted Data in Facebook React
React2Shell PoC This repository provides a minimal intentiona...
tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
Note that this vulnerability is only present when using experimentalcaller / experimentalnextAppDirCaller. Summary A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by...
CVE-2025-68130
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router...