react-server-dom-turbopack 19.1.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the react-server-dom-turbopack package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Exposure of Sensitive System Information to an Unauthorized Control Sphere react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere. An attacker can access the source code of any Server Function by sending a malicious HTTP request to a vulnerable Server Function. Notes: This is only exploitable if a Server Function exists that explicitly or implicitly exposes a stringified argument: 'use server'; export async function serverFunction(name) { const conn = db.createConnection('SECRET KEY'); const user = await conn.createUser(name); // implicitly stringified, leaked in db return { id: user.id, message: `Hello, ${name}!` // explicitly stringified, leaked in reply }} An attacker may be able to leak the following: 0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"} 1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"} Secrets hardcoded in source code may be exposed, but runtime secrets such as `process.env.SECRET` are not affected. The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`. This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. See this issue for more information. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? Upgrade `react-server-dom-turbopack` to version 19.0.2, 19.1.3, 19.2.2 or higher.	>=19.0.0 <19.0.2>=19.1.0 <19.1.3>=19.2.0 <19.2.2
H Deserialization of Untrusted Data react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads. Notes: Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`. This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. See this issue for more information. How to fix Deserialization of Untrusted Data? Upgrade `react-server-dom-turbopack` to version 19.0.2, 19.1.3, 19.2.2 or higher.	>=19.0.0 <19.0.2>=19.1.0 <19.1.3>=19.2.0 <19.2.2
C Arbitrary Code Injection react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe deserialization of RSC payloads from HTTP requests to Server Function endpoints. An unauthenticated attacker can execute arbitrary code on the server by sending malicious HTTP requests. Note: Serverless applications and applications that do not use a framework, bundler, or bundler plugin that supports React Server Components are not affected by this vulnerability. How to fix Arbitrary Code Injection? Upgrade `react-server-dom-turbopack` to version 19.0.1, 19.1.2, 19.2.1 or higher.	>=19.0.0-rc.0 <19.0.1>=19.1.0 <19.1.2>=19.2.0 <19.2.1

Vulnerability

Vulnerable Version

Exposure of Sensitive System Information to an Unauthorized Control Sphere

react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere. An attacker can access the source code of any Server Function by sending a malicious HTTP request to a vulnerable Server Function.

Notes:

This is only exploitable if a Server Function exists that explicitly or implicitly exposes a stringified argument:

'use server';

export async function serverFunction(name) {
  const conn = db.createConnection('SECRET KEY');
  const user = await conn.createUser(name); // implicitly stringified, leaked in db

  return {
   id: user.id,
   message: `Hello, ${name}!` // explicitly stringified, leaked in reply
  }}

An attacker may be able to leak the following:

0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"}
1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"}

Secrets hardcoded in source code may be exposed, but runtime secrets such as process.env.SECRET are not affected.

The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native. See this issue for more information.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

Upgrade react-server-dom-turbopack to version 19.0.2, 19.1.3, 19.2.2 or higher.

>=19.0.0 <19.0.2>=19.1.0 <19.1.3>=19.2.0 <19.2.2

Deserialization of Untrusted Data

react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads.

Notes:

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

How to fix Deserialization of Untrusted Data?

Upgrade react-server-dom-turbopack to version 19.0.2, 19.1.3, 19.2.2 or higher.

>=19.0.0 <19.0.2>=19.1.0 <19.1.3>=19.2.0 <19.2.2

Arbitrary Code Injection

react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.

Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe deserialization of RSC payloads from HTTP requests to Server Function endpoints. An unauthenticated attacker can execute arbitrary code on the server by sending malicious HTTP requests.

Note:

Serverless applications and applications that do not use a framework, bundler, or bundler plugin that supports React Server Components are not affected by this vulnerability.

How to fix Arbitrary Code Injection?

Upgrade react-server-dom-turbopack to version 19.0.1, 19.1.2, 19.2.1 or higher.

>=19.0.0-rc.0 <19.0.1>=19.1.0 <19.1.2>=19.2.0 <19.2.1

react-server-dom-turbopack@19.1.1 vulnerabilities

React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically