React — JavaScript-библиотека с открытым исходным кодом для разработки пользовательских интерфейсов.
Релизный цикл, информация об уязвимостях
График релизов
Количество 11
GHSA-7gmr-mq3h-m5h9
Denial of Service Vulnerability in React Server Components
CVE-2025-67779
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
GHSA-2m3v-v2m8-q956
Denial of Service Vulnerability in React Server Components
GHSA-925w-6v3x-g4j4
Source Code Exposure Vulnerability in React Server Components
CVE-2025-55184
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
CVE-2025-55183
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
GHSA-fv66-9v8q-g76r
React Server Components are Vulnerable to RCE
CVE-2025-55182
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
BDU:2025-15156
Уязвимость функции requireModule() пакетов react-server-dom-webpack, react-server-dom-parcel и react-server-dom-turbopack JavaScript библиотеки построения пользовательских интерфейсов React, позволяющая нарушителю выполнить произвольный код
GHSA-mvjj-gqq2-p4hw
Cross-Site Scripting in react-dom
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-7gmr-mq3h-m5h9 Denial of Service Vulnerability in React Server Components | CVSS3: 7.5 | 0% Низкий | 7 дней назад |
 | CVE-2025-67779 It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served. | CVSS3: 7.5 | 0% Низкий | 7 дней назад |
| GHSA-2m3v-v2m8-q956 Denial of Service Vulnerability in React Server Components | CVSS3: 7.5 | 6% Низкий | 7 дней назад |
| GHSA-925w-6v3x-g4j4 Source Code Exposure Vulnerability in React Server Components | CVSS3: 5.3 | 1% Низкий | 7 дней назад |
| CVE-2025-55184 A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served. | CVSS3: 7.5 | 6% Низкий | 7 дней назад |
| CVE-2025-55183 An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument. | CVSS3: 5.3 | 1% Низкий | 7 дней назад |
| GHSA-fv66-9v8q-g76r React Server Components are Vulnerable to RCE | CVSS3: 10 | 76% Высокий | 15 дней назад |
| CVE-2025-55182 A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. | CVSS3: 10 | 76% Высокий | 16 дней назад |
 | BDU:2025-15156 Уязвимость функции requireModule() пакетов react-server-dom-webpack, react-server-dom-parcel и react-server-dom-turbopack JavaScript библиотеки построения пользовательских интерфейсов React, позволяющая нарушителю выполнить произвольный код | CVSS3: 10 | 76% Высокий | 16 дней назад |
| GHSA-mvjj-gqq2-p4hw Cross-Site Scripting in react-dom | CVSS3: 6.1 | 17% Средний | почти 7 лет назад |
Уязвимостей на страницу