@amazeelabs/bridge-waku (>=1.1.9 <=2.0.1), @amazeelabs/executors (>=3.1.12 <=3.1.14) +20 more potentially affected by CVE-2026-23864 via react-server-dom-webpack (>=19.0.0 <=19.0.1)

react-server-dom-webpack NPM version =19.0.0, =1.1.9, =3.1.12, =1.4.7, =1.1.3, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859,...

GHSA-83FC-FQCC-2HMG React Server Components have multiple Denial of Service Vulnerabilities

Impact It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities still exist in React Server Components. We recommend updating immediately. The vulnerability exists in versions 19.0.0, 19.0.1, 19.0.2, 19.0.3,...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182-PoC-http-exec PoC terkait CVE-2025-55182 untu...

Malicious Package

Overview acces-react is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

Malicious Package

Overview @aftersale/react-eva is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864. A specially crafted HTTP...

GHSA-H25M-26QC-WCJF Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864. A specially crafted HTTP...

CVE-2026-23864

A flaw was found in React Server Components. A remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. This can lead to a Denial of Service DoS, causing server crashes, out-of-memory exceptions, or excessive CPU usage, thereby...

MAL-2026-626 Malicious code in react-toast-cold (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10dcf80d6b6e15bcfb18c2f1a4211efd1c79f6f66e8aa34bbab7107a90d1da86 The package react-toast-cold was found to contain malicious code. Source: ghsa-malware dc67550f336ea3c52946bb6d0ab4f031eee7a60cc562b0fd4220750c72f086...

Malicious code in react-toast-cold (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10dcf80d6b6e15bcfb18c2f1a4211efd1c79f6f66e8aa34bbab7107a90d1da86 The package react-toast-cold was found to contain malicious code. Source: ghsa-malware dc67550f336ea3c52946bb6d0ab4f031eee7a60cc562b0fd4220750c72f086...

Exploit for Deserialization of Untrusted Data in Facebook React

!Image Althttps://github.com/AsadAhmad-1337/React-2-Shell/blo...

Malicious Package

Overview @spx-delivery/react is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

K000159700: React framework vulnerability CVE-2026-23864

Security Advisory Description Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests ...

CVE-2026-23864

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints,...

@amazeelabs/bridge-waku (>=1.1.0 <=2.0.1), @amazeelabs/executors (>=3.0.0 <=3.1.14) +52 more potentially affected by CVE-2025-55184 +1 more via react-server-dom-webpack (>=19.0.0-canary-36e62c603-20240418 <=19.0.1)

react-server-dom-webpack NPM version =19.0.0-canary-36e62c603-20240418, =1.1.0, =3.0.0, =1.1.0, =1.1.0, =1.0.0-canary.12245, =0.9.1-next.19, =1.0.0-canary.12245, =0.9.1-next.19, =1.0.0-canary.12245, =1.0.0-canary.12245, =1.0.0-canary.12245, =0.9.1-next.19, =1.0.0-canary.12245, =1.0.0-canary.12245...

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...

@cedarjs/api-server (>=1.0.0-canary.12863 <=3.0.0-canary.13332), @cedarjs/cli (>=1.0.0-canary.12863 <=3.0.0-canary.13332) +10 more potentially affected by CVE-2025-55184 +1 more via react-server-dom-webpack (>=19.2.1 <=19.2.3)

react-server-dom-webpack NPM version =19.2.1, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863,...

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttli...

Allocation of Resources Without Limits or Throttling

Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exceptions, or excessive CPU usage by sending...

Allocation of Resources Without Limits or Throttling

Overview @modern-js/utils is a progressive web framework based on React. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exception...