ALL POSTS

Key Findings: React team issued urgent security advisory about incomplete fixes for Denial of Service (DoS) vulnerabilities in React Server Components New high-severity flaw CVE-2026-23864 (CVSS 7.5) allows attackers to trigger server crashes, out-of-memory exceptions, or excessive CPU usage via "specially crafted HTTP requests" Vulnerability affects React packages using server-side rendering (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) in v

Key Findings CVE-2025-55184 (CVSS 7.5) - A pre-authentication denial of service vulnerability in React Server Components (RSC) that can trigger an infinite loop and hang the server process CVE-2025-67779 (CVSS 7.5) - An incomplete fix for CVE-2025-55184 with the same impact CVE-2025-55183 (CVSS 5.3) - An information leak vulnerability that may expose the source code of a vulnerable Server Function Background The React team has released fixes for three new vulnerabilities in R

Key Findings Critical security flaw discovered in React Server Components (RSC) with a CVSS score of 10.0 (maximum severity) Vulnerability allows unauthenticated remote code execution (RCE) by exploiting a deserialization issue in how React decodes payloads sent to React Server Function endpoints Issue affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js versions >=14.3.0-canary.77, >=15, and >=16 Vulnerability codenamed "React2shell" and assigned CVE-2