cbcvebase.

Facebook React vulnerabilities

7 known vulnerabilities affecting facebook/react.

Total CVEs
7
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL1HIGH3MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2025-55182P1CRITICALCVSS 10.0KEVPoCRansomwarev19.0.0v19.1.0+2 more2025-12-03
CVE-2025-55182 [CRITICAL] CWE-502 CVE-2025-55182: A pre-authentication remote code execution vulnerability exists in React Server Components versions A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints
nvd
CVE-2025-55184P1HIGHCVSS 7.5ExploitedPoC≥ 19.0.0, < 19.0.2≥ 19.1.0, < 19.1.3+1 more2025-12-11
CVE-2025-55184 [HIGH] CWE-502 CVE-2025-55184: A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0 A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Fu
nvd
CVE-2025-55183P2MEDIUMCVSS 5.3PoC≥ 19.0.0, < 19.0.2≥ 19.1.0, < 19.1.3+1 more2025-12-11
CVE-2025-55183 [MEDIUM] CVE-2025-55183: An information leak vulnerability exists in specific configurations of React Server Components versi An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may uns
nvd
CVE-2025-67779P3HIGHCVSS 7.5v19.0.2v19.1.3+1 more2025-12-12
CVE-2025-67779 [HIGH] CVE-2025-67779: It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and do It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop t
nvd
CVE-2026-23864P3HIGHCVSS 7.5≥ 19.0.0, < 19.0.4≥ 19.1.0, < 19.1.5+1 more2026-01-26
CVE-2026-23864 [HIGH] CWE-400 CVE-2026-23864: Multiple denial of service vulnerabilities exist in React Server Components, affecting the following Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory excepti
nvd
CVE-2018-6341P4MEDIUMCVSS 6.1≥ 16.0.0, < 16.0.1≥ 16.1.0, < 16.1.2+3 more2018-12-31
CVE-2018-6341 [MEDIUM] CWE-79 CVE-2018-6341: React applications which rendered to HTML using the ReactDOMServer API were not escaping user-suppli React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
nvd
CVE-2013-7035MEDIUM≥ 0.4.0, < 0.4.2≥ 0.5.0, < 0.5.22020-09-04
CVE-2013-7035 [MEDIUM] CWE-79 Cross-Site Scripting in react Cross-Site Scripting in react Affected versions of `react` are vulnerable to Cross-Site Scripting (XSS). The package fails to properly sanitize input used to create keys. This may allow attackers to execute arbitrary JavaScript if a key is generated from user input. ## Recommendation If you are using `react` 0.5.x, upgrade to version 0.5.2 or later. If you are using `react` 0.4.x, upgrade to version 0.4.2 or later.
ghsaosv
Facebook React vulnerabilities | cvebase