@modern-js/utils 2.69.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @modern-js/utils package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling @modern-js/utils is a progressive web framework based on React. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exceptions, or excessive CPU usage by sending specially crafted HTTP requests to Server Function endpoints. Notes: This issue is a result of an incomplete fix for CVE-2025-55184 If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `@modern-js/utils` to version 2.70.5 or higher.	>=2.65.2 <2.70.5
H Deserialization of Untrusted Data @modern-js/utils is a progressive web framework based on React. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads. Notes: Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`. This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. See this issue for more information. How to fix Deserialization of Untrusted Data? Upgrade `@modern-js/utils` to version 2.69.3 or higher.	>=2.65.2 <2.69.3
C Arbitrary Code Injection @modern-js/utils is a progressive web framework based on React. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe deserialization of RSC payloads from HTTP requests to Server Function endpoints. An unauthenticated attacker can execute arbitrary code on the server by sending malicious HTTP requests. Note: Serverless applications and applications that do not use a framework, bundler, or bundler plugin that supports React Server Components are not affected by this vulnerability. Modern.js ships with a bundled copy of react-server-dom-webpack@19.0.0; however, at the time of disclosure, the RSC features were in development and required an opt-in. The vulnerability is exploitable only if RSC services are explicitly enabled; without setting `server.rsc: true`, the RSC plugin is not loaded, and the application does not execute the vulnerable code. How to fix Arbitrary Code Injection? Upgrade `@modern-js/utils` to version 2.69.3 or higher.	>=2.65.2 <2.69.3

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

@modern-js/utils is a progressive web framework based on React.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exceptions, or excessive CPU usage by sending specially crafted HTTP requests to Server Function endpoints.

Notes:

This issue is a result of an incomplete fix for CVE-2025-55184
If your app’s React code does not use a server, your app is not affected by these vulnerabilities.
If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade @modern-js/utils to version 2.70.5 or higher.

>=2.65.2 <2.70.5

Deserialization of Untrusted Data

@modern-js/utils is a progressive web framework based on React.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads.

Notes:

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native. See this issue for more information.

How to fix Deserialization of Untrusted Data?

Upgrade @modern-js/utils to version 2.69.3 or higher.

>=2.65.2 <2.69.3

Arbitrary Code Injection

@modern-js/utils is a progressive web framework based on React.

Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe deserialization of RSC payloads from HTTP requests to Server Function endpoints. An unauthenticated attacker can execute arbitrary code on the server by sending malicious HTTP requests.

Note:

Serverless applications and applications that do not use a framework, bundler, or bundler plugin that supports React Server Components are not affected by this vulnerability.

Modern.js ships with a bundled copy of react-server-dom-webpack@19.0.0; however, at the time of disclosure, the RSC features were in development and required an opt-in. The vulnerability is exploitable only if RSC services are explicitly enabled; without setting server.rsc: true, the RSC plugin is not loaded, and the application does not execute the vulnerable code.

How to fix Arbitrary Code Injection?

Upgrade @modern-js/utils to version 2.69.3 or higher.

>=2.65.2 <2.69.3

@modern-js/utils@2.69.0 vulnerabilities

A Progressive React Framework for modern web development.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically