CVE-2025-55182

CVE-2025-55182 is a pre-auth remote code execution vulnerability in React Server Components (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0) affecting react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The issue arises from unsafe deserialization of payloads in HTTP reque...

CVE-2018-6341

CVE-2018-6341 (React/XSS) : The IBM bulletin confirms a vulnerability in React where rendering HTML via ReactDOMServer fails to escape user-supplied attribute names, enabling cross-site scripting. Affected versions are React 16.0.x through 16.4.x; the issue arises from improper validation/escapin...

CVE-2026-23864

CVE-2026-23864 affects React Server Components packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The connected advisories describe a denial-of-service condition triggered by specially crafted HTTP requests to Server Function endpoints, potentially causin...

CVE-2025-55184

CVE-2025-55184 is a pre-authentication Denial of Service vulnerability in React Server Components from versions 19.0.0 through 19.2.2 (affecting react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack). The issue arises from unsafe deserialization of HTTP payloads sent t...

CVE-2025-67779

CVE-2025-67779 describes a denial-of-service vulnerability in React Server Components caused by an incomplete fix for unsafe deserialization. The issue allows crafted HTTP payloads to Server Function endpoints to trigger an infinite loop, tying up CPU and potentially making the server unresponsiv...

CVE-2025-55183

CVE-2025-55183 is a source code disclosure vulnerability in React Server Components (RSC) Server Functions. A crafted HTTP request to a vulnerable Server Function may cause the server to return the full source code of that function when the argument is stringified. Affected are RSC versions 19.0....