Description
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- Meta / react-server-dom-parcel19.2.0 – 19.2.1
- Meta / react-server-dom-parcel19.0.0 – 19.0.1
- Meta / react-server-dom-parcel19.1.0 – 19.1.2
- Meta / react-server-dom-turbopack19.1.0 – 19.1.2
- Meta / react-server-dom-turbopack19.0.0 – 19.0.1
- Meta / react-server-dom-turbopack19.2.0 – 19.2.1
- Meta / react-server-dom-webpack19.0.0 – 19.0.1
- Meta / react-server-dom-webpack19.2.0 – 19.2.1
- Meta / react-server-dom-webpack19.1.0 – 19.1.2
Exploits & proofs of concept
- nucleiReact Server Components - Denial of Serviceby DhiyaneshDk
Updated 6m ago · 2 sources