Search criteria
12 vulnerabilities found for react by facebook
CVE-2025-67779 (GCVE-0-2025-67779)
Vulnerability from nvd – Published: 2025-12-11 23:36 – Updated: 2025-12-12 18:40
VLAI?
Summary
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Severity ?
7.5 (High)
CWE
- (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-parcel |
Affected:
19.0.2 , ≤ 19.0.2
(semver)
Affected: 19.1.3 , ≤ 19.1.3 (semver) Affected: 19.2.2 , ≤ 19.2.2 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:39:24.796538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:40:45.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.2",
"status": "affected",
"version": "19.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.3",
"status": "affected",
"version": "19.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.2",
"status": "affected",
"version": "19.2.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.2",
"status": "affected",
"version": "19.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.3",
"status": "affected",
"version": "19.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.2",
"status": "affected",
"version": "19.2.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.2",
"status": "affected",
"version": "19.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.3",
"status": "affected",
"version": "19.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.2",
"status": "affected",
"version": "19.2.2",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T23:36:20.699Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-67779"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-67779",
"datePublished": "2025-12-11T23:36:20.699Z",
"dateReserved": "2025-12-11T22:58:08.827Z",
"dateUpdated": "2025-12-12T18:40:45.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55184 (GCVE-0-2025-55184)
Vulnerability from nvd – Published: 2025-12-11 20:05 – Updated: 2025-12-11 20:11
VLAI?
Summary
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Severity ?
7.5 (High)
CWE
- (CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Affected:
19.0.0 , ≤ 19.0.1
(semver)
Affected: 19.1.0 , ≤ 19.1.2 (semver) Affected: 19.2.0 , ≤ 19.2.1 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "(CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:11:26.262Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55184"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55184",
"datePublished": "2025-12-11T20:05:01.328Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-11T20:11:26.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55183 (GCVE-0-2025-55183)
Vulnerability from nvd – Published: 2025-12-11 20:04 – Updated: 2025-12-11 20:09
VLAI?
Summary
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Severity ?
5.3 (Medium)
CWE
- (CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Affected:
19.0.0 , ≤ 19.0.1
(semver)
Affected: 19.1.0 , ≤ 19.1.2 (semver) Affected: 19.2.0 , ≤ 19.2.1 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "(CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:09:32.286Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55183"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55183",
"datePublished": "2025-12-11T20:04:48.655Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-11T20:09:32.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55182 (GCVE-0-2025-55182)
Vulnerability from nvd – Published: 2025-12-03 15:40 – Updated: 2025-12-11 20:15
VLAI?
Summary
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Severity ?
10 (Critical)
CWE
- Deserialization of Untrusted Data (CWE-502)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Affected:
19.0.0 , ≤ 19.0.0
(semver)
Affected: 19.1.0 , ≤ 19.1.1 (semver) Affected: 19.2.0 , ≤ 19.2.0 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55182",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-05",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T04:55:42.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"media-coverage"
],
"url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-05T00:00:00+00:00",
"value": "CVE-2025-55182 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-12-04T17:32:12.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
},
{
"url": "https://news.ycombinator.com/item?id=46136026"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization of Untrusted Data (CWE-502)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:15:37.699Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55182",
"datePublished": "2025-12-03T15:40:56.894Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-11T20:15:37.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-6341 (GCVE-0-2018-6341)
Vulnerability from nvd – Published: 2018-12-31 22:00 – Updated: 2025-05-06 16:54
VLAI?
Summary
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (CWE-79)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| react-dom |
Affected:
16.4.2
Affected: 16.4.0 , < unspecified (custom) Affected: 16.3.3 Affected: 16.3.0 , < unspecified (custom) Affected: 16.2.1 Affected: 16.2.0 , < unspecified (custom) Affected: 16.1.2 Affected: 16.1.0 , < unspecified (custom) Affected: 16.0.1 Affected: 16.0.0 , < unspecified (custom) Unaffected: unspecified , < 16.0.0 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:01:48.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/reactjs/status/1024745321987887104"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2018-6341",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T16:54:12.196558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T16:54:17.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "react-dom",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "16.4.2"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.4.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "16.3.3"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.3.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "16.2.1"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.2.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "16.1.2"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "16.0.1"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
},
{
"lessThan": "16.0.0",
"status": "unaffected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2018-08-01T00:00:00.000Z",
"datePublic": "2018-12-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-31T21:57:01.000Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/reactjs/status/1024745321987887104"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2018-08-01",
"ID": "CVE-2018-6341",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "react-dom",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "16.4.2"
},
{
"version_affected": "\u003e=",
"version_value": "16.4.0"
},
{
"version_affected": "!=\u003e",
"version_value": "16.3.3"
},
{
"version_affected": "\u003e=",
"version_value": "16.3.0"
},
{
"version_affected": "!=\u003e",
"version_value": "16.2.1"
},
{
"version_affected": "\u003e=",
"version_value": "16.2.0"
},
{
"version_affected": "!=\u003e",
"version_value": "16.1.2"
},
{
"version_affected": "\u003e=",
"version_value": "16.1.0"
},
{
"version_affected": "!=\u003e",
"version_value": "16.0.1"
},
{
"version_affected": "\u003e=",
"version_value": "16.0.0"
},
{
"version_affected": "!\u003c",
"version_value": "16.0.0"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html",
"refsource": "MISC",
"url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
},
{
"name": "https://twitter.com/reactjs/status/1024745321987887104",
"refsource": "MISC",
"url": "https://twitter.com/reactjs/status/1024745321987887104"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2018-6341",
"datePublished": "2018-12-31T22:00:00.000Z",
"dateReserved": "2018-01-26T00:00:00.000Z",
"dateUpdated": "2025-05-06T16:54:17.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-67779 (GCVE-0-2025-67779)
Vulnerability from cvelistv5 – Published: 2025-12-11 23:36 – Updated: 2025-12-12 18:40
VLAI?
Summary
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Severity ?
7.5 (High)
CWE
- (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-parcel |
Affected:
19.0.2 , ≤ 19.0.2
(semver)
Affected: 19.1.3 , ≤ 19.1.3 (semver) Affected: 19.2.2 , ≤ 19.2.2 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:39:24.796538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:40:45.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.2",
"status": "affected",
"version": "19.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.3",
"status": "affected",
"version": "19.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.2",
"status": "affected",
"version": "19.2.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.2",
"status": "affected",
"version": "19.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.3",
"status": "affected",
"version": "19.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.2",
"status": "affected",
"version": "19.2.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.2",
"status": "affected",
"version": "19.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.3",
"status": "affected",
"version": "19.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.2",
"status": "affected",
"version": "19.2.2",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T23:36:20.699Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-67779"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-67779",
"datePublished": "2025-12-11T23:36:20.699Z",
"dateReserved": "2025-12-11T22:58:08.827Z",
"dateUpdated": "2025-12-12T18:40:45.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55184 (GCVE-0-2025-55184)
Vulnerability from cvelistv5 – Published: 2025-12-11 20:05 – Updated: 2025-12-11 20:11
VLAI?
Summary
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Severity ?
7.5 (High)
CWE
- (CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Affected:
19.0.0 , ≤ 19.0.1
(semver)
Affected: 19.1.0 , ≤ 19.1.2 (semver) Affected: 19.2.0 , ≤ 19.2.1 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "(CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:11:26.262Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55184"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55184",
"datePublished": "2025-12-11T20:05:01.328Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-11T20:11:26.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55183 (GCVE-0-2025-55183)
Vulnerability from cvelistv5 – Published: 2025-12-11 20:04 – Updated: 2025-12-11 20:09
VLAI?
Summary
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Severity ?
5.3 (Medium)
CWE
- (CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Affected:
19.0.0 , ≤ 19.0.1
(semver)
Affected: 19.1.0 , ≤ 19.1.2 (semver) Affected: 19.2.0 , ≤ 19.2.1 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.1",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.2",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.1",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "(CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:09:32.286Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55183"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55183",
"datePublished": "2025-12-11T20:04:48.655Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-11T20:09:32.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55182 (GCVE-0-2025-55182)
Vulnerability from cvelistv5 – Published: 2025-12-03 15:40 – Updated: 2025-12-11 20:15
VLAI?
Summary
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Severity ?
10 (Critical)
CWE
- Deserialization of Untrusted Data (CWE-502)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Affected:
19.0.0 , ≤ 19.0.0
(semver)
Affected: 19.1.0 , ≤ 19.1.1 (semver) Affected: 19.2.0 , ≤ 19.2.0 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55182",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-05",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T04:55:42.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"media-coverage"
],
"url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-05T00:00:00+00:00",
"value": "CVE-2025-55182 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-12-04T17:32:12.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
},
{
"url": "https://news.ycombinator.com/item?id=46136026"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization of Untrusted Data (CWE-502)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:15:37.699Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55182",
"datePublished": "2025-12-03T15:40:56.894Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-11T20:15:37.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2018-6341 (GCVE-0-2018-6341)
Vulnerability from cvelistv5 – Published: 2018-12-31 22:00 – Updated: 2025-05-06 16:54
VLAI?
Summary
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (CWE-79)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| react-dom |
Affected:
16.4.2
Affected: 16.4.0 , < unspecified (custom) Affected: 16.3.3 Affected: 16.3.0 , < unspecified (custom) Affected: 16.2.1 Affected: 16.2.0 , < unspecified (custom) Affected: 16.1.2 Affected: 16.1.0 , < unspecified (custom) Affected: 16.0.1 Affected: 16.0.0 , < unspecified (custom) Unaffected: unspecified , < 16.0.0 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:01:48.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/reactjs/status/1024745321987887104"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2018-6341",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T16:54:12.196558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T16:54:17.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "react-dom",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "16.4.2"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.4.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "16.3.3"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.3.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "16.2.1"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.2.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "16.1.2"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "16.0.1"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
},
{
"lessThan": "16.0.0",
"status": "unaffected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2018-08-01T00:00:00.000Z",
"datePublic": "2018-12-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-31T21:57:01.000Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/reactjs/status/1024745321987887104"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2018-08-01",
"ID": "CVE-2018-6341",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "react-dom",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "16.4.2"
},
{
"version_affected": "\u003e=",
"version_value": "16.4.0"
},
{
"version_affected": "!=\u003e",
"version_value": "16.3.3"
},
{
"version_affected": "\u003e=",
"version_value": "16.3.0"
},
{
"version_affected": "!=\u003e",
"version_value": "16.2.1"
},
{
"version_affected": "\u003e=",
"version_value": "16.2.0"
},
{
"version_affected": "!=\u003e",
"version_value": "16.1.2"
},
{
"version_affected": "\u003e=",
"version_value": "16.1.0"
},
{
"version_affected": "!=\u003e",
"version_value": "16.0.1"
},
{
"version_affected": "\u003e=",
"version_value": "16.0.0"
},
{
"version_affected": "!\u003c",
"version_value": "16.0.0"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html",
"refsource": "MISC",
"url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
},
{
"name": "https://twitter.com/reactjs/status/1024745321987887104",
"refsource": "MISC",
"url": "https://twitter.com/reactjs/status/1024745321987887104"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2018-6341",
"datePublished": "2018-12-31T22:00:00.000Z",
"dateReserved": "2018-01-26T00:00:00.000Z",
"dateUpdated": "2025-05-06T16:54:17.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-55182
Vulnerability from fkie_nvd - Published: 2025-12-03 16:15 - Updated: 2025-12-06 02:00
Severity ?
Summary
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
References
Impacted products
{
"cisaActionDue": "2025-12-26",
"cisaExploitAdd": "2025-12-05",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Meta React Server Components Remote Code Execution Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C66E1B0F-8C3F-4D27-9F46-B6EC78D8C60B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C6C1C3E2-542D-4001-BFA9-6CF5A038971D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A0907E1C-E2D2-44A4-AA46-CE80BCA4E015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0030B5E1-E79E-4C48-B500-91747FE2751D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "FC2BCD83-CC87-4CDC-AD9B-2055912A8463",
"versionEndExcluding": "15.0.5",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "C5E767D4-E46F-4CA6-A22F-4D0671B9B102",
"versionEndExcluding": "15.1.9",
"versionStartIncluding": "15.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5EFB6CB7-4A4F-464A-A1D8-62B50DF0B4BA",
"versionEndExcluding": "15.2.6",
"versionStartIncluding": "15.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "83AF54D7-410D-42B4-853A-8A1973636542",
"versionEndExcluding": "15.3.6",
"versionStartIncluding": "15.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "3D666EA7-BDAE-4E67-A331-B7403C3AA482",
"versionEndExcluding": "15.4.8",
"versionStartIncluding": "15.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E666ECDA-7A29-4D3D-AC40-357F044AD595",
"versionEndExcluding": "15.5.7",
"versionStartIncluding": "15.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "CF65554E-4BF0-4344-AE7F-9E09E34E084F",
"versionEndExcluding": "16.0.7",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*",
"matchCriteriaId": "B209A306-CE1A-448D-8653-7627302399B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*",
"matchCriteriaId": "D1DCAC23-7ED0-456B-8AE2-57689199F708",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*",
"matchCriteriaId": "8B35D612-AC2A-4697-934F-372E4D5EE3F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*",
"matchCriteriaId": "A06D2291-5D89-4B76-99E0-52505634A63B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*",
"matchCriteriaId": "8F01F07A-79F7-4F4B-8E3A-9C7D93C83A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*",
"matchCriteriaId": "9EDA2864-F94B-48EB-98F3-FDBFCECCC4A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*",
"matchCriteriaId": "4828BEE0-E891-491B-903D-A50B0E37273C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*",
"matchCriteriaId": "55723BB4-E62B-4034-A434-485FE0E6BAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*",
"matchCriteriaId": "19F55784-CC11-4024-9A42-EFEEF7B2366F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*",
"matchCriteriaId": "1D694B0A-9BCF-49C8-A787-B0AFE51C7DC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*",
"matchCriteriaId": "C91F9508-E18D-4928-9DF5-DE2DDBEC56D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*",
"matchCriteriaId": "3ED7F693-8012-4F88-BC71-CF108E20664A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*",
"matchCriteriaId": "40EE98AC-754A-4FD9-B51A-9E2674584FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*",
"matchCriteriaId": "13B41C54-AF21-4637-A852-F997635B4E83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*",
"matchCriteriaId": "91B41697-2D70-488D-A5C3-CB9D435560CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*",
"matchCriteriaId": "7D43DB84-7BCF-429B-849A-7189EC1922D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*",
"matchCriteriaId": "CEC2346B-8DBD-4D53-9866-CFBDD3AACEF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*",
"matchCriteriaId": "2BC95097-8CA6-42FE-98D7-F968E37C11B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*",
"matchCriteriaId": "4F8FA85C-1200-4FD2-B5D7-906300748BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*",
"matchCriteriaId": "5D0B177B-2A31-48E9-81C7-1024E2452486",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*",
"matchCriteriaId": "7CCA01F3-3A14-4450-8A68-B1DA22C685B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*",
"matchCriteriaId": "1AB351AE-8C29-4E67-8699-0AAC6B3383E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*",
"matchCriteriaId": "14A34D9D-5FA2-434B-836E-3CE63D716CCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*",
"matchCriteriaId": "E8440F05-F32B-4D40-90B7-04BF22107D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*",
"matchCriteriaId": "FB6C6F6D-1EC0-4BD9-97A4-CFDE70DF0C43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*",
"matchCriteriaId": "6189BD4C-A3E2-451B-96B2-FF01250E946D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*",
"matchCriteriaId": "389EE453-8B07-45DD-BE9C-277C9C5CB156",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*",
"matchCriteriaId": "BA4D4638-4734-4B16-87AA-EF4B5D2DDD7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*",
"matchCriteriaId": "D54A2E63-6E0C-4E17-86A8-459B0A7EE00B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*",
"matchCriteriaId": "E6136F0A-3010-4BAD-811B-D047CF5E6F64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*",
"matchCriteriaId": "525EFA40-B14B-47E9-8FBD-45721A802DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*",
"matchCriteriaId": "69142944-1EC0-4F94-862E-FA7F2E101101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*",
"matchCriteriaId": "30016C06-372D-4F98-84A8-0732CA054970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*",
"matchCriteriaId": "E1536E2B-84EC-46A3-9B6F-026364A9D927",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*",
"matchCriteriaId": "5E6F1F60-30E2-407C-8152-EEEB7EFE24CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*",
"matchCriteriaId": "3C907301-2C8F-465B-8134-94130E29F5DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*",
"matchCriteriaId": "E81C89FD-40CB-471E-9967-90ACDCF79373",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*",
"matchCriteriaId": "55E8AEEC-A686-49D6-B298-AEE4E838E769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*",
"matchCriteriaId": "CB0618EC-6A0B-4AC3-BF6D-E51AC84C4E15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*",
"matchCriteriaId": "7B27F133-8EB4-4761-A706-DF42D4EB55F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*",
"matchCriteriaId": "BF975472-B7E7-4AC8-B834-DA19897A4894",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*",
"matchCriteriaId": "48A82613-F3FD-4E89-8E4A-F3F05A616171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*",
"matchCriteriaId": "0D42CA1F-7C21-47C1-8A9C-1015286FCBE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*",
"matchCriteriaId": "7C83A4EF-B96F-40EC-BA1F-FE1370AF78AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*",
"matchCriteriaId": "C151FDAB-DE34-4A7E-9762-6E99386798BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*",
"matchCriteriaId": "53025212-05F0-41FE-81F8-023B1784BB8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*",
"matchCriteriaId": "68EAC2B9-32A5-4721-BB35-16D519CD1BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*",
"matchCriteriaId": "7411EF71-CBEB-4127-935F-3C732A1E22AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*",
"matchCriteriaId": "0C4B8930-1B65-4894-AFA8-C323AA7A8292",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*",
"matchCriteriaId": "B4977345-BD8C-41C7-9DD7-1E41D6CC6438",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*",
"matchCriteriaId": "EFE030A4-5B14-4C2D-B953-E80C98FB26EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*",
"matchCriteriaId": "9F616FD4-83BF-4A9A-AFFD-0D3E2544DC7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*",
"matchCriteriaId": "00512630-8B88-43B0-9ED3-2B33C64CC9A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*",
"matchCriteriaId": "A88EEF11-C7DA-4E2D-A030-FC177E696557",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*",
"matchCriteriaId": "BE8453D9-7275-4A5F-8732-F05662FFF2E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*",
"matchCriteriaId": "E306B896-9BBB-424B-8D99-7A1A79AEFE9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*",
"matchCriteriaId": "ACA87B86-33D5-4BEA-A13D-EEB4922D511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*",
"matchCriteriaId": "77AA0D23-B101-445C-A260-ED3152A93D17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*",
"matchCriteriaId": "7D7DCCF7-FC83-4767-A0C2-C84A8B14F93B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*",
"matchCriteriaId": "FD397568-7F1F-4153-AF08-B22D4D3B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*",
"matchCriteriaId": "984416EF-B121-40CE-B3AD-E22A06BB5844",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*",
"matchCriteriaId": "C4B58652-EE24-43CF-8ABE-4A01B2C9938C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*",
"matchCriteriaId": "8090CF73-AEA7-43FC-A960-321BED3B1682",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*",
"matchCriteriaId": "823164E5-609D-4F24-86A5-E25618FE86A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*",
"matchCriteriaId": "E13CD688-63C3-4FFA-9D13-696005F0C155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*",
"matchCriteriaId": "B397B18C-8A7A-4766-9A68-98B26E190A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*",
"matchCriteriaId": "2DB345E3-BAD0-497E-93AE-5E4DC669C192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*",
"matchCriteriaId": "840FEB19-2C66-4004-A488-B90219F8AC05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*",
"matchCriteriaId": "C260F966-73D7-43F3-A329-8C558A695821",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*",
"matchCriteriaId": "28130A79-39B5-43E8-A690-C8E9C62483F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:*",
"matchCriteriaId": "5E8548AB-D9E8-4E65-AF24-9F9021F99834",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
}
],
"id": "CVE-2025-55182",
"lastModified": "2025-12-06T02:00:02.510",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "cve-assign@fb.com",
"type": "Secondary"
}
]
},
"published": "2025-12-03T16:15:56.463",
"references": [
{
"source": "cve-assign@fb.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
},
{
"source": "cve-assign@fb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=46136026"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory"
],
"url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
}
],
"sourceIdentifier": "cve-assign@fb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-6341
Vulnerability from fkie_nvd - Published: 2018-12-31 22:29 - Updated: 2025-05-06 17:15
Severity ?
Summary
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F2DBC72-D3BB-4F2E-8C4E-78338879F785",
"versionEndExcluding": "16.0.1",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BFDC1FE0-32FA-4087-BAC9-8BE468C2C890",
"versionEndExcluding": "16.1.2",
"versionStartIncluding": "16.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68B83811-5DEF-4C8D-A472-A2AB9B25AAB7",
"versionEndExcluding": "16.2.1",
"versionStartIncluding": "16.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
"matchCriteriaId": "13B2835B-E9DB-49B7-9C1D-EFF8EDE1C367",
"versionEndExcluding": "16.3.3",
"versionStartIncluding": "16.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AFEFCB3B-A978-457C-A26E-D1A818DE878D",
"versionEndExcluding": "16.4.2",
"versionStartIncluding": "16.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2."
},
{
"lang": "es",
"value": "Aplicaciones \"react\" que renderizaban a HTML mediante la API APIReactDOMServer no escapaban nombres de atributo proporcionados por el usuario a la hora de renderizar. Dicha falta de escape podr\u00eda provocar una vulnerabilidad de Cross-Site Scripting (XSS). Este problema afectaba a peque\u00f1as distribuciones: las versiones 16.0.x, 16.1.x, 16.2.x, 16.3.x y 16.4.x. Se solucion\u00f3 en las versiones 16.0.1, 16.1.2, 16.2.1, 16.3.3 y 16.4.2."
}
],
"id": "CVE-2018-6341",
"lastModified": "2025-05-06T17:15:51.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2018-12-31T22:29:00.387",
"references": [
{
"source": "cve-assign@fb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
},
{
"source": "cve-assign@fb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://twitter.com/reactjs/status/1024745321987887104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://twitter.com/reactjs/status/1024745321987887104"
}
],
"sourceIdentifier": "cve-assign@fb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve-assign@fb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}