Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    372 vulnerabilities by Facebook

    CVE-2026-49059 (GCVE-0-2026-49059)

    Vulnerability from nvd – Published: 2026-05-27 14:33 – Updated: 2026-05-28 00:33 X_Open Source
    VLAI
    Title
    WordPress Facebook for WooCommerce plugin <= 3.7.0 - Open Redirection vulnerability
    Summary
    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook Facebook for WooCommerce Affected: n/a , ≤ 3.7.0 (custom)
    Create a notification for this product.
    Credits
    timomangcut | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49059",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T00:33:31.656838Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T00:33:43.335Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "facebook-for-woocommerce",
              "product": "Facebook for WooCommerce",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.0",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "timomangcut | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Facebook Facebook for WooCommerce allows Phishing.\u003cp\u003eThis issue affects Facebook for WooCommerce: from n/a through 3.7.0.\u003c/p\u003e"
                }
              ],
              "value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Facebook Facebook for WooCommerce allows Phishing.\n\nThis issue affects Facebook for WooCommerce: from n/a through 3.7.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-98",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-98 Phishing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T14:33:18.844Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/facebook-for-woocommerce/vulnerability/wordpress-facebook-for-woocommerce-plugin-3-7-0-open-redirection-vulnerability?_s_id=cve"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "WordPress Facebook for WooCommerce plugin \u003c= 3.7.0 - Open Redirection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-49059",
        "datePublished": "2026-05-27T14:33:18.844Z",
        "dateReserved": "2026-05-27T10:26:36.700Z",
        "dateUpdated": "2026-05-28T00:33:43.335Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23866 (GCVE-0-2026-23866)

    Vulnerability from nvd – Published: 2026-05-01 16:02 – Updated: 2026-05-01 17:42
    VLAI
    Summary
    Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Verification of Source of a Communication Channel (CWE-940)
    • CWE-940 - Improper Verification of Source of a Communication Channel
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook WhatsApp for Android Affected: 2.25.8.0 , < 2.26.7.10 (semver)
    Create a notification for this product.
    Facebook WhatsApp for iOS Affected: 2.25.8.0 , < 2.26.15.72 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23866",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T17:41:43.060585Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-940",
                    "description": "CWE-940 Improper Verification of Source of a Communication Channel",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T17:42:09.286Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp for Android",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.26.7.10",
                  "status": "affected",
                  "version": "2.25.8.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.26.15.72",
                  "status": "affected",
                  "version": "2.25.8.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2026-04-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user\u2019s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Verification of Source of a Communication Channel (CWE-940)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-01T16:10:25.306Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2026-23866"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2026"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23866",
        "datePublished": "2026-05-01T16:02:03.304Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-05-01T17:42:09.286Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23863 (GCVE-0-2026-23863)

    Vulnerability from nvd – Published: 2026-05-01 16:01 – Updated: 2026-05-01 17:41
    VLAI
    Summary
    An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Neutralization of Null Byte or NUL Character (CWE-158)
    • CWE-158 - Improper Neutralization of Null Byte or NUL Character
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook WhatsApp Desktop for Windows Affected: 2.3000.*.252500 , < 2.3000.1032164386.258709 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23863",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T17:40:45.569668Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-158",
                    "description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T17:41:14.681Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Desktop for Windows",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.3000.1032164386.258709",
                  "status": "affected",
                  "version": "2.3000.*.252500",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "dateAssigned": "2026-04-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Neutralization of Null Byte or NUL Character (CWE-158)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-01T16:15:38.171Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2026-23863"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2026"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23863",
        "datePublished": "2026-05-01T16:01:39.565Z",
        "dateReserved": "2026-01-16T19:49:26.308Z",
        "dateUpdated": "2026-05-01T17:41:14.681Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23864 (GCVE-0-2026-23864)

    Vulnerability from nvd – Published: 2026-01-26 19:16 – Updated: 2026-07-03 12:04
    VLAI
    Summary
    Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502): Deserialization of Untrusted Data. (CWE-400): Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-1284 - Improper Validation of Specified Quantity in Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 2.9.4     cpe:/a:redhat:amq_streams:2.9::el9
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 3.2.0     cpe:/a:redhat:amq_streams:3.2::el9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T20:26:03.428817Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T20:26:45.709Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 2.9.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 3.2.0",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-26T19:16:38.250Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in React Server Components. A remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. This can lead to a Denial of Service (DoS), causing server crashes, out-of-memory exceptions, or excessive CPU usage, thereby impacting the availability of applications."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1284",
                    "description": "Improper Validation of Specified Quantity in Input",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-03T12:04:51.558Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-23864"
              },
              {
                "name": "RHBZ#2433059",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433059"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23864.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34608"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13571"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:34608: Streams for Apache Kafka 2.9.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13571: Streams for Apache Kafka 3.2.0"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-26T20:01:54.396Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-26T19:16:38.250Z",
                "value": "Made public."
              }
            ],
            "title": "react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.\n\nThe vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.\n\nStrongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502): Deserialization of Untrusted Data. (CWE-400): Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-26T19:16:38.250Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2026-23864"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23864",
        "datePublished": "2026-01-26T19:16:38.250Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-07-03T12:04:51.558Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-67779 (GCVE-0-2025-67779)

    Vulnerability from nvd – Published: 2025-12-11 23:36 – Updated: 2025-12-12 18:40
    VLAI
    Summary
    It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-parcel Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Meta react-server-dom-webpack Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67779",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-12T18:39:24.796538Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-12T18:40:45.863Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T23:36:20.699Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-67779"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-67779",
        "datePublished": "2025-12-11T23:36:20.699Z",
        "dateReserved": "2025-12-11T22:58:08.827Z",
        "dateUpdated": "2025-12-12T18:40:45.863Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55184 (GCVE-0-2025-55184)

    Vulnerability from nvd – Published: 2025-12-11 20:05 – Updated: 2025-12-15 16:37
    VLAI
    Summary
    A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55184",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T16:36:27.831763Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T16:37:06.708Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/KingHacker353/CVE-2025-55184"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:11:26.262Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55184"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55184",
        "datePublished": "2025-12-11T20:05:01.328Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2025-12-15T16:37:06.708Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55183 (GCVE-0-2025-55183)

    Vulnerability from nvd – Published: 2025-12-11 20:04 – Updated: 2026-01-07 16:26
    VLAI
    Summary
    An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55183",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-07T16:24:47.971492Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-07T16:26:47.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:09:32.286Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55183"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55183",
        "datePublished": "2025-12-11T20:04:48.655Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2026-01-07T16:26:47.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55182 (GCVE-0-2025-55182)

    Vulnerability from nvd – Published: 2025-12-03 15:40 – Updated: 2026-02-26 16:57
    Summary
    A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Deserialization of Untrusted Data (CWE-502)
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55182",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-06T04:55:43.783137Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2025-12-05",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T16:57:36.794Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "media-coverage"
                ],
                "url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
              },
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2025-12-05T00:00:00.000Z",
                "value": "CVE-2025-55182 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-04T17:32:12.884Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
              },
              {
                "url": "https://news.ycombinator.com/item?id=46136026"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-02T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Deserialization of Untrusted Data (CWE-502)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:15:37.699Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55182",
        "datePublished": "2025-12-03T15:40:56.894Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2026-02-26T16:57:36.794Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55181 (GCVE-0-2025-55181)

    Vulnerability from nvd – Published: 2025-12-02 22:13 – Updated: 2025-12-03 00:33
    VLAI
    Summary
    Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Excessive Iteration (CWE-834)
    • CWE-834 - Excessive Iteration
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook proxygen Affected: v2025.08.25.00 , ≤ v2025.12.01.00 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55181",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T00:33:16.510713Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-834",
                    "description": "CWE-834 Excessive Iteration",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T00:33:57.022Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "proxygen",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThanOrEqual": "v2025.12.01.00",
                  "status": "affected",
                  "version": "v2025.08.25.00",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Excessive Iteration (CWE-834)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-02T22:13:31.101Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55181"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/proxygen/commit/17689399ef99b7c3d3a8b2b768b1dba1a4b72f8f"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55181",
        "datePublished": "2025-12-02T22:13:31.101Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2025-12-03T00:33:57.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55179 (GCVE-0-2025-55179)

    Vulnerability from nvd – Published: 2025-11-18 13:56 – Updated: 2025-11-18 14:25
    VLAI
    Summary
    Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen evidence of exploitation in the wild.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect Authorization (CWE-863)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook WhatsApp Business for iOS Affected: 2.25.8.14 , < 2.25.23.82 (semver)
    Create a notification for this product.
    Facebook WhatsApp for iOS Affected: 2.25.8.17 , < 2.25.23.73 (semver)
    Create a notification for this product.
    Facebook WhatsApp Desktop for Mac Affected: 2.25.8.14 , < 2.25.23.83 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55179",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-18T14:22:05.852548Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-18T14:25:08.232Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "WhatsApp Business for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.23.82",
                  "status": "affected",
                  "version": "2.25.8.14",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.23.73",
                  "status": "affected",
                  "version": "2.25.8.17",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Desktop for Mac",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.23.83",
                  "status": "affected",
                  "version": "2.25.8.14",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-11-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user\u2019s device. We have not seen evidence of exploitation in the wild."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Authorization (CWE-863)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-18T13:56:31.598Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55179"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2025/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55179",
        "datePublished": "2025-11-18T13:56:31.598Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2025-11-18T14:25:08.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64296 (GCVE-0-2025-64296)

    Vulnerability from nvd – Published: 2025-10-29 04:08 – Updated: 2026-04-28 16:14
    VLAI
    Title
    WordPress Facebook for WooCommerce plugin <= 3.5.7 - Broken Access Control to Notice Dismissal vulnerability
    Summary
    Missing Authorization vulnerability in Facebook Facebook for WooCommerce facebook-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Facebook for WooCommerce: from n/a through <= 3.5.7.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook Facebook for WooCommerce Affected: 0 , ≤ 3.5.7 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:43
    Credits
    Legion Hunter | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64296",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-29T13:43:32.792758Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-29T13:43:42.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "facebook-for-woocommerce",
              "product": "Facebook for WooCommerce",
              "vendor": "Facebook",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.5.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.5.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Legion Hunter | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:43:35.843Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in Facebook Facebook for WooCommerce facebook-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Facebook for WooCommerce: from n/a through \u003c= 3.5.7.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in Facebook Facebook for WooCommerce facebook-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Facebook for WooCommerce: from n/a through \u003c= 3.5.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:14:14.183Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/facebook-for-woocommerce/vulnerability/wordpress-facebook-for-woocommerce-plugin-3-5-7-broken-access-control-to-notice-dismissal-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Facebook for WooCommerce plugin \u003c= 3.5.7 - Broken Access Control to Notice Dismissal vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-64296",
        "datePublished": "2025-10-29T04:08:45.858Z",
        "dateReserved": "2025-10-29T03:42:18.167Z",
        "dateUpdated": "2026-04-28T16:14:14.183Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55177 (GCVE-0-2025-55177)

    Vulnerability from nvd – Published: 2025-08-29 15:50 – Updated: 2026-02-26 17:47
    VLAI CISA KEVIntel
    Summary
    Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect Authorization (CWE-863)
    Assigner
    Impacted products
    Vendor Product Version
    Facebook WhatsApp Desktop for Mac Affected: 2.22.25.2 , < 2.25.21.78 (semver)
    Create a notification for this product.
    Facebook WhatsApp Business for iOS Affected: 2.22.25.2 , < 2.25.21.78 (semver)
    Create a notification for this product.
    Facebook WhatsApp for iOS Affected: 2.22.25.2 , < 2.25.21.73 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55177",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-30T03:55:35.684164Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2025-09-02",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:47:48.837Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2025-09-02T00:00:00.000Z",
                "value": "CVE-2025-55177 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Desktop for Mac",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.21.78",
                  "status": "affected",
                  "version": "2.22.25.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Business for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.21.78",
                  "status": "affected",
                  "version": "2.22.25.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.21.73",
                  "status": "affected",
                  "version": "2.22.25.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-08-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target\u2019s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Authorization (CWE-863)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-30T16:54:33.495Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55177"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2025/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2025-55177",
        "datePublished": "2025-08-29T15:50:28.578Z",
        "dateReserved": "2025-08-08T18:21:47.118Z",
        "dateUpdated": "2026-02-26T17:47:48.837Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-30403 (GCVE-0-2025-30403)

    Vulnerability from nvd – Published: 2025-07-11 18:26 – Updated: 2025-07-11 19:23
    VLAI
    Summary
    A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Heap-based Buffer Overflow (CWE-122)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook mvfst Affected: v2025.03.24.00 , < v2025.07.07.00 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30403",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-11T19:22:21.366810Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-11T19:23:37.185Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "mvfst",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "v2025.07.07.00",
                  "status": "affected",
                  "version": "v2025.03.24.00",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-06-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Heap-based Buffer Overflow (CWE-122)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-11T18:26:51.212Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-30403"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/mvfst/commit/65b297332191de6e867c4a3139a233fc84c0e7e0"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2025-30403",
        "datePublished": "2025-07-11T18:26:51.212Z",
        "dateReserved": "2025-03-21T19:52:56.085Z",
        "dateUpdated": "2025-07-11T19:23:37.185Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30401 (GCVE-0-2025-30401)

    Vulnerability from nvd – Published: 2025-04-05 11:47 – Updated: 2025-04-09 17:19
    VLAI
    Summary
    A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp. We have not seen evidence of exploitation in the wild.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook WhatsApp Desktop for Windows Affected: 0.0.0 , < 2.2450.6 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30401",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-07T14:35:23.677082Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-07T18:30:10.813Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Desktop for Windows",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.2450.6",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-03-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment\u2019s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp. We have not seen evidence of exploitation in the wild."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-430",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-09T17:19:56.351Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-30401"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2025/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2025-30401",
        "datePublished": "2025-04-05T11:47:54.836Z",
        "dateReserved": "2025-03-21T19:52:56.084Z",
        "dateUpdated": "2025-04-09T17:19:56.351Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27591 (GCVE-0-2025-27591)

    Vulnerability from nvd – Published: 2025-03-11 18:29 – Updated: 2025-03-21 20:38
    VLAI
    Summary
    A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect Permission Assignment for Critical Resource (CWE-732)
    Assigner
    Impacted products
    Vendor Product Version
    Meta Platforms, Inc below Affected: 0.0.0 , < 0.9.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-03-12T13:08:26.252Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/03/12/1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27591",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-21T20:37:38.689510Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-21T20:38:10.292Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "below",
              "vendor": "Meta Platforms, Inc",
              "versions": [
                {
                  "lessThan": "0.9.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-03-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Permission Assignment for Critical Resource (CWE-732)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T18:29:21.569Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-27591"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/facebookincubator/below/commit/da9382e6e3e332fd2c3195e22f34977f83f0f1f3"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2025-27591",
        "datePublished": "2025-03-11T18:29:21.569Z",
        "dateReserved": "2025-03-03T11:36:32.537Z",
        "dateUpdated": "2025-03-21T20:38:10.292Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-49059 (GCVE-0-2026-49059)

    Vulnerability from cvelistv5 – Published: 2026-05-27 14:33 – Updated: 2026-05-28 00:33 X_Open Source
    VLAI
    Title
    WordPress Facebook for WooCommerce plugin <= 3.7.0 - Open Redirection vulnerability
    Summary
    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook Facebook for WooCommerce Affected: n/a , ≤ 3.7.0 (custom)
    Create a notification for this product.
    Credits
    timomangcut | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49059",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T00:33:31.656838Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T00:33:43.335Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "facebook-for-woocommerce",
              "product": "Facebook for WooCommerce",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThanOrEqual": "3.7.0",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "timomangcut | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Facebook Facebook for WooCommerce allows Phishing.\u003cp\u003eThis issue affects Facebook for WooCommerce: from n/a through 3.7.0.\u003c/p\u003e"
                }
              ],
              "value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Facebook Facebook for WooCommerce allows Phishing.\n\nThis issue affects Facebook for WooCommerce: from n/a through 3.7.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-98",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-98 Phishing"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T14:33:18.844Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/facebook-for-woocommerce/vulnerability/wordpress-facebook-for-woocommerce-plugin-3-7-0-open-redirection-vulnerability?_s_id=cve"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "WordPress Facebook for WooCommerce plugin \u003c= 3.7.0 - Open Redirection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-49059",
        "datePublished": "2026-05-27T14:33:18.844Z",
        "dateReserved": "2026-05-27T10:26:36.700Z",
        "dateUpdated": "2026-05-28T00:33:43.335Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23866 (GCVE-0-2026-23866)

    Vulnerability from cvelistv5 – Published: 2026-05-01 16:02 – Updated: 2026-05-01 17:42
    VLAI
    Summary
    Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Verification of Source of a Communication Channel (CWE-940)
    • CWE-940 - Improper Verification of Source of a Communication Channel
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook WhatsApp for Android Affected: 2.25.8.0 , < 2.26.7.10 (semver)
    Create a notification for this product.
    Facebook WhatsApp for iOS Affected: 2.25.8.0 , < 2.26.15.72 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23866",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T17:41:43.060585Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-940",
                    "description": "CWE-940 Improper Verification of Source of a Communication Channel",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T17:42:09.286Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp for Android",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.26.7.10",
                  "status": "affected",
                  "version": "2.25.8.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.26.15.72",
                  "status": "affected",
                  "version": "2.25.8.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2026-04-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user\u2019s device, including triggering OS-controlled custom URL scheme handlers. We have not seen evidence of exploitation in the wild."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Verification of Source of a Communication Channel (CWE-940)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-01T16:10:25.306Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2026-23866"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2026"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23866",
        "datePublished": "2026-05-01T16:02:03.304Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-05-01T17:42:09.286Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23863 (GCVE-0-2026-23863)

    Vulnerability from cvelistv5 – Published: 2026-05-01 16:01 – Updated: 2026-05-01 17:41
    VLAI
    Summary
    An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Neutralization of Null Byte or NUL Character (CWE-158)
    • CWE-158 - Improper Neutralization of Null Byte or NUL Character
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook WhatsApp Desktop for Windows Affected: 2.3000.*.252500 , < 2.3000.1032164386.258709 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23863",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-01T17:40:45.569668Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-158",
                    "description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-01T17:41:14.681Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Desktop for Windows",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.3000.1032164386.258709",
                  "status": "affected",
                  "version": "2.3000.*.252500",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "dateAssigned": "2026-04-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Neutralization of Null Byte or NUL Character (CWE-158)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-01T16:15:38.171Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2026-23863"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2026"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23863",
        "datePublished": "2026-05-01T16:01:39.565Z",
        "dateReserved": "2026-01-16T19:49:26.308Z",
        "dateUpdated": "2026-05-01T17:41:14.681Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23864 (GCVE-0-2026-23864)

    Vulnerability from cvelistv5 – Published: 2026-01-26 19:16 – Updated: 2026-07-03 12:04
    VLAI
    Summary
    Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502): Deserialization of Untrusted Data. (CWE-400): Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-1284 - Improper Validation of Specified Quantity in Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 2.9.4     cpe:/a:redhat:amq_streams:2.9::el9
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 3.2.0     cpe:/a:redhat:amq_streams:3.2::el9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T20:26:03.428817Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T20:26:45.709Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 2.9.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 3.2.0",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-26T19:16:38.250Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in React Server Components. A remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. This can lead to a Denial of Service (DoS), causing server crashes, out-of-memory exceptions, or excessive CPU usage, thereby impacting the availability of applications."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1284",
                    "description": "Improper Validation of Specified Quantity in Input",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-03T12:04:51.558Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-23864"
              },
              {
                "name": "RHBZ#2433059",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433059"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23864.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34608"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13571"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:34608: Streams for Apache Kafka 2.9.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13571: Streams for Apache Kafka 3.2.0"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-26T20:01:54.396Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-26T19:16:38.250Z",
                "value": "Made public."
              }
            ],
            "title": "react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.\n\nThe vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.\n\nStrongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502): Deserialization of Untrusted Data. (CWE-400): Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-26T19:16:38.250Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2026-23864"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23864",
        "datePublished": "2026-01-26T19:16:38.250Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-07-03T12:04:51.558Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-67779 (GCVE-0-2025-67779)

    Vulnerability from cvelistv5 – Published: 2025-12-11 23:36 – Updated: 2025-12-12 18:40
    VLAI
    Summary
    It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-parcel Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Meta react-server-dom-webpack Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67779",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-12T18:39:24.796538Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-12T18:40:45.863Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T23:36:20.699Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-67779"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-67779",
        "datePublished": "2025-12-11T23:36:20.699Z",
        "dateReserved": "2025-12-11T22:58:08.827Z",
        "dateUpdated": "2025-12-12T18:40:45.863Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55184 (GCVE-0-2025-55184)

    Vulnerability from cvelistv5 – Published: 2025-12-11 20:05 – Updated: 2025-12-15 16:37
    VLAI
    Summary
    A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55184",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T16:36:27.831763Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T16:37:06.708Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/KingHacker353/CVE-2025-55184"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:11:26.262Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55184"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55184",
        "datePublished": "2025-12-11T20:05:01.328Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2025-12-15T16:37:06.708Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55183 (GCVE-0-2025-55183)

    Vulnerability from cvelistv5 – Published: 2025-12-11 20:04 – Updated: 2026-01-07 16:26
    VLAI
    Summary
    An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55183",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-07T16:24:47.971492Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-07T16:26:47.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:09:32.286Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55183"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55183",
        "datePublished": "2025-12-11T20:04:48.655Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2026-01-07T16:26:47.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55182 (GCVE-0-2025-55182)

    Vulnerability from cvelistv5 – Published: 2025-12-03 15:40 – Updated: 2026-02-26 16:57
    Summary
    A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Deserialization of Untrusted Data (CWE-502)
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55182",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-06T04:55:43.783137Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2025-12-05",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T16:57:36.794Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "media-coverage"
                ],
                "url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
              },
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2025-12-05T00:00:00.000Z",
                "value": "CVE-2025-55182 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-04T17:32:12.884Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
              },
              {
                "url": "https://news.ycombinator.com/item?id=46136026"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-02T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Deserialization of Untrusted Data (CWE-502)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:15:37.699Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55182",
        "datePublished": "2025-12-03T15:40:56.894Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2026-02-26T16:57:36.794Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55181 (GCVE-0-2025-55181)

    Vulnerability from cvelistv5 – Published: 2025-12-02 22:13 – Updated: 2025-12-03 00:33
    VLAI
    Summary
    Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Excessive Iteration (CWE-834)
    • CWE-834 - Excessive Iteration
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook proxygen Affected: v2025.08.25.00 , ≤ v2025.12.01.00 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55181",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-03T00:33:16.510713Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-834",
                    "description": "CWE-834 Excessive Iteration",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-03T00:33:57.022Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "proxygen",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThanOrEqual": "v2025.12.01.00",
                  "status": "affected",
                  "version": "v2025.08.25.00",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Excessive Iteration (CWE-834)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-02T22:13:31.101Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55181"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/proxygen/commit/17689399ef99b7c3d3a8b2b768b1dba1a4b72f8f"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55181",
        "datePublished": "2025-12-02T22:13:31.101Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2025-12-03T00:33:57.022Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55179 (GCVE-0-2025-55179)

    Vulnerability from cvelistv5 – Published: 2025-11-18 13:56 – Updated: 2025-11-18 14:25
    VLAI
    Summary
    Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen evidence of exploitation in the wild.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect Authorization (CWE-863)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook WhatsApp Business for iOS Affected: 2.25.8.14 , < 2.25.23.82 (semver)
    Create a notification for this product.
    Facebook WhatsApp for iOS Affected: 2.25.8.17 , < 2.25.23.73 (semver)
    Create a notification for this product.
    Facebook WhatsApp Desktop for Mac Affected: 2.25.8.14 , < 2.25.23.83 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55179",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-18T14:22:05.852548Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-18T14:25:08.232Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "WhatsApp Business for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.23.82",
                  "status": "affected",
                  "version": "2.25.8.14",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.23.73",
                  "status": "affected",
                  "version": "2.25.8.17",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Desktop for Mac",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.23.83",
                  "status": "affected",
                  "version": "2.25.8.14",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-11-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user\u2019s device. We have not seen evidence of exploitation in the wild."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Authorization (CWE-863)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-18T13:56:31.598Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55179"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2025/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55179",
        "datePublished": "2025-11-18T13:56:31.598Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2025-11-18T14:25:08.232Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64296 (GCVE-0-2025-64296)

    Vulnerability from cvelistv5 – Published: 2025-10-29 04:08 – Updated: 2026-04-28 16:14
    VLAI
    Title
    WordPress Facebook for WooCommerce plugin <= 3.5.7 - Broken Access Control to Notice Dismissal vulnerability
    Summary
    Missing Authorization vulnerability in Facebook Facebook for WooCommerce facebook-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Facebook for WooCommerce: from n/a through <= 3.5.7.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook Facebook for WooCommerce Affected: 0 , ≤ 3.5.7 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:43
    Credits
    Legion Hunter | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64296",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-29T13:43:32.792758Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-29T13:43:42.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "facebook-for-woocommerce",
              "product": "Facebook for WooCommerce",
              "vendor": "Facebook",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "3.5.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "3.5.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Legion Hunter | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:43:35.843Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in Facebook Facebook for WooCommerce facebook-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Facebook for WooCommerce: from n/a through \u003c= 3.5.7.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in Facebook Facebook for WooCommerce facebook-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Facebook for WooCommerce: from n/a through \u003c= 3.5.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:14:14.183Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/facebook-for-woocommerce/vulnerability/wordpress-facebook-for-woocommerce-plugin-3-5-7-broken-access-control-to-notice-dismissal-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress Facebook for WooCommerce plugin \u003c= 3.5.7 - Broken Access Control to Notice Dismissal vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-64296",
        "datePublished": "2025-10-29T04:08:45.858Z",
        "dateReserved": "2025-10-29T03:42:18.167Z",
        "dateUpdated": "2026-04-28T16:14:14.183Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55177 (GCVE-0-2025-55177)

    Vulnerability from cvelistv5 – Published: 2025-08-29 15:50 – Updated: 2026-02-26 17:47
    VLAI CISA KEVIntel
    Summary
    Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect Authorization (CWE-863)
    Assigner
    Impacted products
    Vendor Product Version
    Facebook WhatsApp Desktop for Mac Affected: 2.22.25.2 , < 2.25.21.78 (semver)
    Create a notification for this product.
    Facebook WhatsApp Business for iOS Affected: 2.22.25.2 , < 2.25.21.78 (semver)
    Create a notification for this product.
    Facebook WhatsApp for iOS Affected: 2.22.25.2 , < 2.25.21.73 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55177",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-30T03:55:35.684164Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2025-09-02",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:47:48.837Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2025-09-02T00:00:00.000Z",
                "value": "CVE-2025-55177 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Desktop for Mac",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.21.78",
                  "status": "affected",
                  "version": "2.22.25.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Business for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.21.78",
                  "status": "affected",
                  "version": "2.22.25.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp for iOS",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.25.21.73",
                  "status": "affected",
                  "version": "2.22.25.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-08-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target\u2019s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Authorization (CWE-863)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-30T16:54:33.495Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55177"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2025/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2025-55177",
        "datePublished": "2025-08-29T15:50:28.578Z",
        "dateReserved": "2025-08-08T18:21:47.118Z",
        "dateUpdated": "2026-02-26T17:47:48.837Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-30403 (GCVE-0-2025-30403)

    Vulnerability from cvelistv5 – Published: 2025-07-11 18:26 – Updated: 2025-07-11 19:23
    VLAI
    Summary
    A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Heap-based Buffer Overflow (CWE-122)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook mvfst Affected: v2025.03.24.00 , < v2025.07.07.00 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30403",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-11T19:22:21.366810Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-07-11T19:23:37.185Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "mvfst",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "v2025.07.07.00",
                  "status": "affected",
                  "version": "v2025.03.24.00",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-06-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Heap-based Buffer Overflow (CWE-122)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-07-11T18:26:51.212Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-30403"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/mvfst/commit/65b297332191de6e867c4a3139a233fc84c0e7e0"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2025-30403",
        "datePublished": "2025-07-11T18:26:51.212Z",
        "dateReserved": "2025-03-21T19:52:56.085Z",
        "dateUpdated": "2025-07-11T19:23:37.185Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30401 (GCVE-0-2025-30401)

    Vulnerability from cvelistv5 – Published: 2025-04-05 11:47 – Updated: 2025-04-09 17:19
    VLAI
    Summary
    A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp. We have not seen evidence of exploitation in the wild.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook WhatsApp Desktop for Windows Affected: 0.0.0 , < 2.2450.6 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.7,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30401",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-07T14:35:23.677082Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-07T18:30:10.813Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp Desktop for Windows",
              "vendor": "Facebook",
              "versions": [
                {
                  "lessThan": "2.2450.6",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-03-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment\u2019s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp. We have not seen evidence of exploitation in the wild."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-430",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-09T17:19:56.351Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-30401"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2025/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2025-30401",
        "datePublished": "2025-04-05T11:47:54.836Z",
        "dateReserved": "2025-03-21T19:52:56.084Z",
        "dateUpdated": "2025-04-09T17:19:56.351Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-27591 (GCVE-0-2025-27591)

    Vulnerability from cvelistv5 – Published: 2025-03-11 18:29 – Updated: 2025-03-21 20:38
    VLAI
    Summary
    A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect Permission Assignment for Critical Resource (CWE-732)
    Assigner
    Impacted products
    Vendor Product Version
    Meta Platforms, Inc below Affected: 0.0.0 , < 0.9.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-03-12T13:08:26.252Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/03/12/1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-27591",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-21T20:37:38.689510Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-21T20:38:10.292Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "below",
              "vendor": "Meta Platforms, Inc",
              "versions": [
                {
                  "lessThan": "0.9.0",
                  "status": "affected",
                  "version": "0.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-03-03T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Permission Assignment for Critical Resource (CWE-732)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T18:29:21.569Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-27591"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/facebookincubator/below/commit/da9382e6e3e332fd2c3195e22f34977f83f0f1f3"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2025-27591",
        "datePublished": "2025-03-11T18:29:21.569Z",
        "dateReserved": "2025-03-03T11:36:32.537Z",
        "dateUpdated": "2025-03-21T20:38:10.292Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }