react-server-dom-webpack 19.0.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the react-server-dom-webpack package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exceptions, or excessive CPU usage by sending specially crafted HTTP requests to Server Function endpoints. Notes: This issue is a result of an incomplete fix for CVE-2025-55184 If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `react-server-dom-webpack` to version 19.0.4, 19.1.5, 19.2.4 or higher.	>=19.0.0-canary-2b036d3f1-20240327 <19.0.4>=19.1.0-canary-130095f7-20241212 <19.1.5>=19.2.0-canary-63779030-20250328 <19.2.4
M Exposure of Sensitive System Information to an Unauthorized Control Sphere react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere. An attacker can access the source code of any Server Function by sending a malicious HTTP request to a vulnerable Server Function. Notes: This is only exploitable if a Server Function exists that explicitly or implicitly exposes a stringified argument: 'use server'; export async function serverFunction(name) { const conn = db.createConnection('SECRET KEY'); const user = await conn.createUser(name); // implicitly stringified, leaked in db return { id: user.id, message: `Hello, ${name}!` // explicitly stringified, leaked in reply }} An attacker may be able to leak the following: 0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"} 1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"} Secrets hardcoded in source code may be exposed, but runtime secrets such as `process.env.SECRET` are not affected. The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`. This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. See this issue for more information. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? Upgrade `react-server-dom-webpack` to version 19.0.2, 19.1.3, 19.2.2 or higher.	>=19.0.0 <19.0.2>=19.1.0 <19.1.3>=19.2.0 <19.2.2
H Deserialization of Untrusted Data react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads. Notes: Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`. This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. See this issue for more information. How to fix Deserialization of Untrusted Data? Upgrade `react-server-dom-webpack` to version 19.0.4, 19.1.5, 19.2.4 or higher.	>=19.0.0 <19.0.4>=19.1.0 <19.1.5>=19.2.0 <19.2.4

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exceptions, or excessive CPU usage by sending specially crafted HTTP requests to Server Function endpoints.

Notes:

This issue is a result of an incomplete fix for CVE-2025-55184
If your app’s React code does not use a server, your app is not affected by these vulnerabilities.
If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade react-server-dom-webpack to version 19.0.4, 19.1.5, 19.2.4 or higher.

>=19.0.0-canary-2b036d3f1-20240327 <19.0.4>=19.1.0-canary-130095f7-20241212 <19.1.5>=19.2.0-canary-63779030-20250328 <19.2.4

Exposure of Sensitive System Information to an Unauthorized Control Sphere

react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere. An attacker can access the source code of any Server Function by sending a malicious HTTP request to a vulnerable Server Function.

Notes:

This is only exploitable if a Server Function exists that explicitly or implicitly exposes a stringified argument:

'use server';

export async function serverFunction(name) {
  const conn = db.createConnection('SECRET KEY');
  const user = await conn.createUser(name); // implicitly stringified, leaked in db

  return {
   id: user.id,
   message: `Hello, ${name}!` // explicitly stringified, leaked in reply
  }}

An attacker may be able to leak the following:

0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"}
1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"}

Secrets hardcoded in source code may be exposed, but runtime secrets such as process.env.SECRET are not affected.

The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native. See this issue for more information.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

Upgrade react-server-dom-webpack to version 19.0.2, 19.1.3, 19.2.2 or higher.

>=19.0.0 <19.0.2>=19.1.0 <19.1.3>=19.2.0 <19.2.2

Deserialization of Untrusted Data

react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads.

Notes:

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

How to fix Deserialization of Untrusted Data?

Upgrade react-server-dom-webpack to version 19.0.4, 19.1.5, 19.2.4 or higher.

>=19.0.0 <19.0.4>=19.1.0 <19.1.5>=19.2.0 <19.2.4

react-server-dom-webpack@19.0.1 vulnerabilities

React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically