VulnCheck KEV: CVE-2025-55184

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafe...

React Server Components have a Denial of Service Vulnerability

Impact A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0, 19.1.0 and 19.2.0. The vulnerability is triggered by sending specially crafted HTTP requests...

K000160686: React framework vulnerability CVE-2026-23869

Security Advisory Description A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. T...

CVE-2026-23869

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. The vulnerability is triggered ...

CVE-2026-23869

A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. The vulnerability is triggered ...

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...

CVE-2026-23864

CVE-2026-23864 affects React Server Components packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The connected advisories describe a denial-of-service condition triggered by specially crafted HTTP requests to Server Function endpoints, potentially causin...

GHSA-7GMR-MQ3H-M5H9 Denial of Service Vulnerability in React Server Components

Impact It was found that the fix to address CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. We recommend updating immediately. The vulnerability exists in versions 19.0.2, 19.1.3, and 19.2.2 of: - react-server-dom-webpac...

Node.js React Server Components Denial of Service (CVE-2025-67779)

Multiple Node.js React Server Components packages are affected by a denial of service vulnerability. The following Node.js packages and versions are affected: - react-server-dom-webpack 19.0.2, 19.1.3, 19.2.2 - react-server-dom-parcel 19.0.2, 19.1.3, 19.2.2 - react-server-dom-turbopack 19.0.2,...

CVE-2025-55184

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafe...

CVE-2025-55183

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically...

Exploit for Deserialization of Untrusted Data in Facebook React

React CVE-2025-55182 Vulnerability Scanner A bash script to s...

CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes...

CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes...

Node.js React Server Components Unauthenticated Remote Code Execution (CVE-2025-55182)

Multiple Node.js React Server Components packages are affected by an unauthenticated remote code execution vulnerability. The following Node.js packages and versions are affected: - react-server-dom-webpack 19.0, 19.1.0, 19.1.1, 19.2.0 - react-server-dom-parcel 19.0, 19.1.0, 19.1.1, 19.2.0 -...

Malicious Package

Overview react-server-dom-turbopack-experimental is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organizatio...