Описание
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
A flaw was found in the React Server Components (RSC) protocol in which an attacker could send a malicious package to a Server Function endpoint and cause unauthenticated remote code execution. This is possible due to the way the affected packages deserialized untrusted data.
Отчет
No Red Hat software includes the directly affected React Server Components packages (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack). However, the reference implementation of React Server Components is used by other projects such as Next.js. Next.js requested a CVE to track their impacted versions, CVE-2025-66478, but that CVE was rejected as a duplicate of this one. The packages listed here include Next.js as a dependency, but our analysis indicates that they are not affected by the vulnerability as they do not use the App Router functionality that exposes endpoints serving the vulnerable protocol.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | firefox | Not affected | ||
| Red Hat Enterprise Linux 10 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 7 | firefox | Not affected | ||
| Red Hat Enterprise Linux 8 | firefox | Not affected | ||
| Red Hat Enterprise Linux 8 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 9 | dotnet7.0 | Not affected | ||
| Red Hat Enterprise Linux 9 | firefox | Not affected | ||
| Red Hat Enterprise Linux 9 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/bootc-cuda-rhel9 | Not affected | ||
| Red Hat Enterprise Linux AI (RHEL AI) 3 | rhelai3/disk-image-cuda-rhel9 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
10 Critical
CVSS3
Связанные уязвимости
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Уязвимость функции requireModule() пакетов react-server-dom-webpack, react-server-dom-parcel и react-server-dom-turbopack JavaScript библиотеки построения пользовательских интерфейсов React, позволяющая нарушителю выполнить произвольный код
EPSS
10 Critical
CVSS3