Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/react-server-dom-turbopack@19.0.2
Typenpm
Namespace
Namereact-server-dom-turbopack
Version19.0.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version19.0.4
Latest_non_vulnerable_version19.3.0-canary-06fcc8f3-20251009
Affected_by_vulnerabilities
0
url VCID-bwdv-fw3h-dfce
vulnerability_id VCID-bwdv-fw3h-dfce
summary 
React Server Components have multiple Denial of Service Vulnerabilities
## Impact

It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities still exist in React Server Components.

We recommend updating immediately.

The vulnerability exists in versions 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.2.0, 19.2.1, 19.2.2, 19.2.3 of:

- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)  
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)  
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

## Patches

Fixes were back ported to versions 19.0.4, 19.1.5, and 19.2.4.

If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

## References

See the [blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more information and upgrade instructions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23864.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23864.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23864
reference_id
reference_type
scores
0
value 0.01395
scoring_system epss
scoring_elements 0.80341
published_at 2026-04-02T12:55:00Z
1
value 0.01456
scoring_system epss
scoring_elements 0.80898
published_at 2026-04-29T12:55:00Z
2
value 0.01456
scoring_system epss
scoring_elements 0.80887
published_at 2026-04-26T12:55:00Z
3
value 0.01456
scoring_system epss
scoring_elements 0.80881
published_at 2026-04-24T12:55:00Z
4
value 0.01456
scoring_system epss
scoring_elements 0.80858
published_at 2026-04-21T12:55:00Z
5
value 0.01456
scoring_system epss
scoring_elements 0.80856
published_at 2026-04-18T12:55:00Z
6
value 0.01456
scoring_system epss
scoring_elements 0.80854
published_at 2026-04-16T12:55:00Z
7
value 0.01456
scoring_system epss
scoring_elements 0.80823
published_at 2026-04-09T12:55:00Z
8
value 0.01456
scoring_system epss
scoring_elements 0.80914
published_at 2026-05-05T12:55:00Z
9
value 0.01456
scoring_system epss
scoring_elements 0.80787
published_at 2026-04-07T12:55:00Z
10
value 0.01456
scoring_system epss
scoring_elements 0.80814
published_at 2026-04-08T12:55:00Z
11
value 0.01456
scoring_system epss
scoring_elements 0.8084
published_at 2026-04-11T12:55:00Z
12
value 0.01456
scoring_system epss
scoring_elements 0.80817
published_at 2026-04-13T12:55:00Z
13
value 0.01456
scoring_system epss
scoring_elements 0.80825
published_at 2026-04-12T12:55:00Z
14
value 0.01456
scoring_system epss
scoring_elements 0.8079
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23864
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
5
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
6
reference_url https://www.facebook.com/security/advisories/cve-2026-23864
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-26T20:26:03Z/
url https://www.facebook.com/security/advisories/cve-2026-23864
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433059
reference_id 2433059
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433059
8
reference_url https://github.com/advisories/GHSA-83fc-fqcc-2hmg
reference_id GHSA-83fc-fqcc-2hmg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-83fc-fqcc-2hmg
9
reference_url https://access.redhat.com/errata/RHSA-2026:13571
reference_id RHSA-2026:13571
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:13571
fixed_packages
0
url pkg:npm/react-server-dom-turbopack@19.0.4
purl pkg:npm/react-server-dom-turbopack@19.0.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.0.4
1
url pkg:npm/react-server-dom-turbopack@19.1.5
purl pkg:npm/react-server-dom-turbopack@19.1.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.5
2
url pkg:npm/react-server-dom-turbopack@19.2.4
purl pkg:npm/react-server-dom-turbopack@19.2.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.4
aliases CVE-2026-23864, GHSA-83fc-fqcc-2hmg
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bwdv-fw3h-dfce
1
url VCID-pbfy-s6g4-w7ex
vulnerability_id VCID-pbfy-s6g4-w7ex
summary 
Denial of Service Vulnerability in React Server Components
It was found that the fix to address [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.

We recommend updating immediately.

The vulnerability exists in versions 19.0.2, 19.1.3, and 19.2.2 of:

- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)

These issues are present in the patches published on December 11th, 2025.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-67779.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-67779.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-67779
reference_id
reference_type
scores
0
value 0.0013
scoring_system epss
scoring_elements 0.32628
published_at 2026-04-02T12:55:00Z
1
value 0.00167
scoring_system epss
scoring_elements 0.37907
published_at 2026-04-04T12:55:00Z
2
value 0.00167
scoring_system epss
scoring_elements 0.37864
published_at 2026-04-11T12:55:00Z
3
value 0.00167
scoring_system epss
scoring_elements 0.37849
published_at 2026-04-09T12:55:00Z
4
value 0.00167
scoring_system epss
scoring_elements 0.37836
published_at 2026-04-08T12:55:00Z
5
value 0.00167
scoring_system epss
scoring_elements 0.37786
published_at 2026-04-07T12:55:00Z
6
value 0.00306
scoring_system epss
scoring_elements 0.53714
published_at 2026-05-05T12:55:00Z
7
value 0.00378
scoring_system epss
scoring_elements 0.59354
published_at 2026-04-13T12:55:00Z
8
value 0.00378
scoring_system epss
scoring_elements 0.59372
published_at 2026-04-12T12:55:00Z
9
value 0.00378
scoring_system epss
scoring_elements 0.59355
published_at 2026-04-29T12:55:00Z
10
value 0.00378
scoring_system epss
scoring_elements 0.59393
published_at 2026-04-18T12:55:00Z
11
value 0.00378
scoring_system epss
scoring_elements 0.59387
published_at 2026-04-16T12:55:00Z
12
value 0.00378
scoring_system epss
scoring_elements 0.59371
published_at 2026-04-26T12:55:00Z
13
value 0.00378
scoring_system epss
scoring_elements 0.59351
published_at 2026-04-24T12:55:00Z
14
value 0.00378
scoring_system epss
scoring_elements 0.59374
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-67779
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-12T18:39:24Z/
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2421678
reference_id 2421678
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2421678
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67779
reference_id CVE-2025-67779
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-67779
6
reference_url https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956
reference_id GHSA-2m3v-v2m8-q956
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956
7
reference_url https://github.com/advisories/GHSA-7gmr-mq3h-m5h9
reference_id GHSA-7gmr-mq3h-m5h9
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7gmr-mq3h-m5h9
8
reference_url https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9
reference_id GHSA-7gmr-mq3h-m5h9
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9
fixed_packages
0
url pkg:npm/react-server-dom-turbopack@19.0.3
purl pkg:npm/react-server-dom-turbopack@19.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.0.3
1
url pkg:npm/react-server-dom-turbopack@19.1.4
purl pkg:npm/react-server-dom-turbopack@19.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.4
2
url pkg:npm/react-server-dom-turbopack@19.2.3
purl pkg:npm/react-server-dom-turbopack@19.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.3
aliases CVE-2025-67779, GHSA-7gmr-mq3h-m5h9
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pbfy-s6g4-w7ex
Fixing_vulnerabilities
0
url VCID-hznz-envu-kfcq
vulnerability_id VCID-hznz-envu-kfcq
summary 
Source Code Exposure Vulnerability in React Server Components
There is a source code exposure vulnerability in React Server Components.

React recommends updating immediately.

The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of:

- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)

These issues are present in the patches published last week.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55183.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55183.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55183
reference_id
reference_type
scores
0
value 0.19834
scoring_system epss
scoring_elements 0.95445
published_at 2026-04-12T12:55:00Z
1
value 0.19834
scoring_system epss
scoring_elements 0.95466
published_at 2026-04-29T12:55:00Z
2
value 0.19834
scoring_system epss
scoring_elements 0.9546
published_at 2026-04-18T12:55:00Z
3
value 0.19834
scoring_system epss
scoring_elements 0.95447
published_at 2026-04-13T12:55:00Z
4
value 0.19834
scoring_system epss
scoring_elements 0.95456
published_at 2026-04-16T12:55:00Z
5
value 0.19834
scoring_system epss
scoring_elements 0.95465
published_at 2026-04-24T12:55:00Z
6
value 0.2095
scoring_system epss
scoring_elements 0.95617
published_at 2026-04-07T12:55:00Z
7
value 0.2095
scoring_system epss
scoring_elements 0.95633
published_at 2026-04-11T12:55:00Z
8
value 0.2095
scoring_system epss
scoring_elements 0.95628
published_at 2026-04-09T12:55:00Z
9
value 0.2095
scoring_system epss
scoring_elements 0.95614
published_at 2026-04-04T12:55:00Z
10
value 0.2095
scoring_system epss
scoring_elements 0.95625
published_at 2026-04-08T12:55:00Z
11
value 0.22222
scoring_system epss
scoring_elements 0.95822
published_at 2026-04-21T12:55:00Z
12
value 0.22554
scoring_system epss
scoring_elements 0.95879
published_at 2026-05-05T12:55:00Z
13
value 0.23425
scoring_system epss
scoring_elements 0.95938
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55183
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-07T16:24:47Z/
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2421590
reference_id 2421590
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2421590
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55183
reference_id CVE-2025-55183
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55183
6
reference_url https://www.facebook.com/security/advisories/cve-2025-55183
reference_id CVE-2025-55183
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-07T16:24:47Z/
url https://www.facebook.com/security/advisories/cve-2025-55183
7
reference_url https://github.com/advisories/GHSA-925w-6v3x-g4j4
reference_id GHSA-925w-6v3x-g4j4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-925w-6v3x-g4j4
8
reference_url https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4
reference_id GHSA-925w-6v3x-g4j4
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4
fixed_packages
0
url pkg:npm/react-server-dom-turbopack@19.0.2
purl pkg:npm/react-server-dom-turbopack@19.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-pbfy-s6g4-w7ex
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.0.2
1
url pkg:npm/react-server-dom-turbopack@19.1.0-canary-029e8bd6-20250306
purl pkg:npm/react-server-dom-turbopack@19.1.0-canary-029e8bd6-20250306
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.0-canary-029e8bd6-20250306
2
url pkg:npm/react-server-dom-turbopack@19.1.3
purl pkg:npm/react-server-dom-turbopack@19.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-pbfy-s6g4-w7ex
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.3
3
url pkg:npm/react-server-dom-turbopack@19.2.0-canary-0038c501-20250429
purl pkg:npm/react-server-dom-turbopack@19.2.0-canary-0038c501-20250429
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.0-canary-0038c501-20250429
4
url pkg:npm/react-server-dom-turbopack@19.2.2
purl pkg:npm/react-server-dom-turbopack@19.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-pbfy-s6g4-w7ex
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.2
5
url pkg:npm/react-server-dom-turbopack@19.3.0-canary-06fcc8f3-20251009
purl pkg:npm/react-server-dom-turbopack@19.3.0-canary-06fcc8f3-20251009
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.3.0-canary-06fcc8f3-20251009
aliases CVE-2025-55183, GHSA-925w-6v3x-g4j4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hznz-envu-kfcq
1
url VCID-q3r3-ykj4-3qbr
vulnerability_id VCID-q3r3-ykj4-3qbr
summary 
Denial of Service Vulnerability in React Server Components
There is a denial of service vulnerability in React Server Components.

React recommends updating immediately.

The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of:

- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)

These issues are present in the patches published last week.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55184.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55184.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55184
reference_id
reference_type
scores
0
value 0.21089
scoring_system epss
scoring_elements 0.95633
published_at 2026-04-07T12:55:00Z
1
value 0.21089
scoring_system epss
scoring_elements 0.95651
published_at 2026-04-11T12:55:00Z
2
value 0.21089
scoring_system epss
scoring_elements 0.95646
published_at 2026-04-09T12:55:00Z
3
value 0.21089
scoring_system epss
scoring_elements 0.95642
published_at 2026-04-08T12:55:00Z
4
value 0.21089
scoring_system epss
scoring_elements 0.9563
published_at 2026-04-04T12:55:00Z
5
value 0.23574
scoring_system epss
scoring_elements 0.95957
published_at 2026-04-02T12:55:00Z
6
value 0.26234
scoring_system epss
scoring_elements 0.96309
published_at 2026-04-16T12:55:00Z
7
value 0.26234
scoring_system epss
scoring_elements 0.963
published_at 2026-04-13T12:55:00Z
8
value 0.26234
scoring_system epss
scoring_elements 0.96296
published_at 2026-04-12T12:55:00Z
9
value 0.26234
scoring_system epss
scoring_elements 0.96313
published_at 2026-04-18T12:55:00Z
10
value 0.26234
scoring_system epss
scoring_elements 0.96318
published_at 2026-04-29T12:55:00Z
11
value 0.26234
scoring_system epss
scoring_elements 0.96316
published_at 2026-04-26T12:55:00Z
12
value 0.26234
scoring_system epss
scoring_elements 0.96315
published_at 2026-04-24T12:55:00Z
13
value 0.29056
scoring_system epss
scoring_elements 0.96593
published_at 2026-04-21T12:55:00Z
14
value 0.36988
scoring_system epss
scoring_elements 0.97178
published_at 2026-05-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55184
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-15T16:36:27Z/
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2421588
reference_id 2421588
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2421588
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55184
reference_id CVE-2025-55184
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55184
6
reference_url https://www.facebook.com/security/advisories/cve-2025-55184
reference_id CVE-2025-55184
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-15T16:36:27Z/
url https://www.facebook.com/security/advisories/cve-2025-55184
7
reference_url https://github.com/advisories/GHSA-2m3v-v2m8-q956
reference_id GHSA-2m3v-v2m8-q956
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2m3v-v2m8-q956
8
reference_url https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956
reference_id GHSA-2m3v-v2m8-q956
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956
fixed_packages
0
url pkg:npm/react-server-dom-turbopack@19.0.2
purl pkg:npm/react-server-dom-turbopack@19.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-pbfy-s6g4-w7ex
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.0.2
1
url pkg:npm/react-server-dom-turbopack@19.1.0-canary-029e8bd6-20250306
purl pkg:npm/react-server-dom-turbopack@19.1.0-canary-029e8bd6-20250306
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.0-canary-029e8bd6-20250306
2
url pkg:npm/react-server-dom-turbopack@19.1.3
purl pkg:npm/react-server-dom-turbopack@19.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-pbfy-s6g4-w7ex
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.1.3
3
url pkg:npm/react-server-dom-turbopack@19.2.0-canary-0038c501-20250429
purl pkg:npm/react-server-dom-turbopack@19.2.0-canary-0038c501-20250429
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.0-canary-0038c501-20250429
4
url pkg:npm/react-server-dom-turbopack@19.2.2
purl pkg:npm/react-server-dom-turbopack@19.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwdv-fw3h-dfce
1
vulnerability VCID-pbfy-s6g4-w7ex
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.2.2
5
url pkg:npm/react-server-dom-turbopack@19.3.0-canary-06fcc8f3-20251009
purl pkg:npm/react-server-dom-turbopack@19.3.0-canary-06fcc8f3-20251009
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.3.0-canary-06fcc8f3-20251009
aliases CVE-2025-55184, GHSA-2m3v-v2m8-q956
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q3r3-ykj4-3qbr
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/react-server-dom-turbopack@19.0.2