Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    27 vulnerabilities by Meta

    CVE-2026-23870 (GCVE-0-2026-23870)

    Vulnerability from nvd – Published: 2026-05-06 16:24 – Updated: 2026-05-06 19:06
    VLAI
    Summary
    A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.5 (semver)
    Affected: 19.1.0 , ≤ 19.1.6 (semver)
    Affected: 19.2.0 , ≤ 19.2.5 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.5 (semver)
    Affected: 19.1.0 , ≤ 19.1.6 (semver)
    Affected: 19.2.0 , ≤ 19.2.5 (semver)
    Create a notification for this product.
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.5 (semver)
    Affected: 19.1.0 , ≤ 19.1.6 (semver)
    Affected: 19.2.0 , ≤ 19.2.5 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23870",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T19:03:16.700440Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T19:06:00.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.5",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.6",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.5",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.5",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.6",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.5",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.5",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.6",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.5",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2026-05-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T16:24:55.620Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23870",
        "datePublished": "2026-05-06T16:24:55.620Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-05-06T19:06:00.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23869 (GCVE-0-2026-23869)

    Vulnerability from nvd – Published: 2026-04-08 19:11 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.4 (semver)
    Affected: 19.1.0 , ≤ 19.1.5 (semver)
    Affected: 19.2.0 , ≤ 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.4 (semver)
    Affected: 19.1.0 , ≤ 19.1.5 (semver)
    Affected: 19.2.0 , ≤ 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.4 (semver)
    Affected: 19.1.0 , ≤ 19.1.5 (semver)
    Affected: 19.2.0 , ≤ 19.2.4 (semver)
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23869",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T19:55:33.314236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T19:56:22.791Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-08T19:11:08.418Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack. Specially crafted HTTP requests to server function endpoints can result in an excessive consumption of CPU resources for up to a minute, causing an error that is catchable."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:42.728Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-23869"
              },
              {
                "name": "RHBZ#2456663",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456663"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23869.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-08T20:01:00.803Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-08T19:11:08.418Z",
                "value": "Made public."
              }
            ],
            "title": "react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2026-04-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T19:11:08.418Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23869",
        "datePublished": "2026-04-08T19:11:08.418Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-06-30T12:06:42.728Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23864 (GCVE-0-2026-23864)

    Vulnerability from nvd – Published: 2026-01-26 19:16 – Updated: 2026-07-03 12:04
    VLAI
    Summary
    Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502): Deserialization of Untrusted Data. (CWE-400): Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-1284 - Improper Validation of Specified Quantity in Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 2.9.4     cpe:/a:redhat:amq_streams:2.9::el9
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 3.2.0     cpe:/a:redhat:amq_streams:3.2::el9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T20:26:03.428817Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T20:26:45.709Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 2.9.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 3.2.0",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-26T19:16:38.250Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in React Server Components. A remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. This can lead to a Denial of Service (DoS), causing server crashes, out-of-memory exceptions, or excessive CPU usage, thereby impacting the availability of applications."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1284",
                    "description": "Improper Validation of Specified Quantity in Input",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-03T12:04:51.558Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-23864"
              },
              {
                "name": "RHBZ#2433059",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433059"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23864.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34608"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13571"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:34608: Streams for Apache Kafka 2.9.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13571: Streams for Apache Kafka 3.2.0"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-26T20:01:54.396Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-26T19:16:38.250Z",
                "value": "Made public."
              }
            ],
            "title": "react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.\n\nThe vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.\n\nStrongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502): Deserialization of Untrusted Data. (CWE-400): Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-26T19:16:38.250Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2026-23864"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23864",
        "datePublished": "2026-01-26T19:16:38.250Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-07-03T12:04:51.558Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-67779 (GCVE-0-2025-67779)

    Vulnerability from nvd – Published: 2025-12-11 23:36 – Updated: 2025-12-12 18:40
    VLAI
    Summary
    It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-parcel Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Meta react-server-dom-webpack Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67779",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-12T18:39:24.796538Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-12T18:40:45.863Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T23:36:20.699Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-67779"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-67779",
        "datePublished": "2025-12-11T23:36:20.699Z",
        "dateReserved": "2025-12-11T22:58:08.827Z",
        "dateUpdated": "2025-12-12T18:40:45.863Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55184 (GCVE-0-2025-55184)

    Vulnerability from nvd – Published: 2025-12-11 20:05 – Updated: 2025-12-15 16:37
    VLAI
    Summary
    A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55184",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T16:36:27.831763Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T16:37:06.708Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/KingHacker353/CVE-2025-55184"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:11:26.262Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55184"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55184",
        "datePublished": "2025-12-11T20:05:01.328Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2025-12-15T16:37:06.708Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55183 (GCVE-0-2025-55183)

    Vulnerability from nvd – Published: 2025-12-11 20:04 – Updated: 2026-01-07 16:26
    VLAI
    Summary
    An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55183",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-07T16:24:47.971492Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-07T16:26:47.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:09:32.286Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55183"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55183",
        "datePublished": "2025-12-11T20:04:48.655Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2026-01-07T16:26:47.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55182 (GCVE-0-2025-55182)

    Vulnerability from nvd – Published: 2025-12-03 15:40 – Updated: 2026-02-26 16:57
    Summary
    A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Deserialization of Untrusted Data (CWE-502)
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55182",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-06T04:55:43.783137Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2025-12-05",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T16:57:36.794Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "media-coverage"
                ],
                "url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
              },
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2025-12-05T00:00:00.000Z",
                "value": "CVE-2025-55182 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-04T17:32:12.884Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
              },
              {
                "url": "https://news.ycombinator.com/item?id=46136026"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-02T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Deserialization of Untrusted Data (CWE-502)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:15:37.699Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55182",
        "datePublished": "2025-12-03T15:40:56.894Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2026-02-26T16:57:36.794Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-30259 (GCVE-0-2025-30259)

    Vulnerability from nvd – Published: 2025-03-19 00:00 – Updated: 2025-03-20 20:36 Exclusively Hosted Service
    VLAI KEVIntel
    Summary
    The WhatsApp cloud service before late 2024 did not block certain crafted PDF content that can defeat a sandbox protection mechanism and consequently allow remote access to messaging applications by third parties, as exploited in the wild in 2024 for installation of Android malware associated with BIGPRETZEL.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Meta WhatsApp cloud service Affected: 0 , < late 2024 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-20T20:35:38.932684Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-20T20:36:29.389Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp cloud service",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "late 2024",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WhatsApp cloud service before late 2024 did not block certain crafted PDF content that can defeat a sandbox protection mechanism and consequently allow remote access to messaging applications by third parties, as exploited in the wild in 2024 for installation of Android malware associated with BIGPRETZEL."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-noinfo: Insufficient Information",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-20T00:21:52.401Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.bleepingcomputer.com/news/security/whatsapp-patched-zero-day-flaw-used-in-paragon-spyware-attacks/"
            },
            {
              "url": "https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/"
            }
          ],
          "tags": [
            "exclusively-hosted-service"
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-30259",
        "datePublished": "2025-03-19T00:00:00.000Z",
        "dateReserved": "2025-03-19T00:00:00.000Z",
        "dateUpdated": "2025-03-20T20:36:29.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-49400 (GCVE-0-2024-49400)

    Vulnerability from nvd – Published: 2024-10-17 17:15 – Updated: 2024-11-01 18:35
    VLAI
    Summary
    Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Permissive Regular Expression (CWE-625)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta Tacquito Affected: 0 , < 07b49d1358e6ec0b5aa482fcd284f509191119e2 (git)
    Create a notification for this product.
    facebook tacquito Affected: 0 , < 07b49d1358e6ec0b5aa482fcd284f509191119e2 (git)
        cpe:2.3:a:facebook:tacquito:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:facebook:tacquito:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "tacquito",
                "vendor": "facebook",
                "versions": [
                  {
                    "lessThan": "07b49d1358e6ec0b5aa482fcd284f509191119e2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "git"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-49400",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-01T18:32:45.694918Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-01T18:35:40.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tacquito",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "07b49d1358e6ec0b5aa482fcd284f509191119e2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "dateAssigned": "2024-10-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Permissive Regular Expression (CWE-625)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-17T17:15:17.191Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2024-49400"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2024-49400",
        "datePublished": "2024-10-17T17:15:17.191Z",
        "dateReserved": "2024-10-15T01:05:31.784Z",
        "dateUpdated": "2024-11-01T18:35:40.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-5654 (GCVE-0-2023-5654)

    Vulnerability from nvd – Published: 2023-10-19 14:28 – Updated: 2024-09-12 14:35
    VLAI
    Summary
    The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Credits
    Calum Hutton, Snyk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:07:32.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-5654",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-10T13:31:19.969276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-116",
                    "description": "CWE-116 Improper Encoding or Escaping of Output",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T14:35:37.964Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "React Developer Tools Extension",
              "vendor": "Meta",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.28.4"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Calum Hutton, Snyk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The React Developer Tools extension registers a message listener with window.addEventListener(\u0027message\u0027, \u003clistener\u003e) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL\u2019s via the victim\u0027s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-19T14:28:23.769Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "url": "https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2023-5654",
        "datePublished": "2023-10-19T14:28:23.769Z",
        "dateReserved": "2023-10-19T12:33:43.948Z",
        "dateUpdated": "2024-09-12T14:35:37.964Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45239 (GCVE-0-2023-45239)

    Vulnerability from nvd – Published: 2023-10-06 17:16 – Updated: 2025-02-13 17:13
    VLAI
    Summary
    A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-790 - Improper Filtering of Special Elements
    Assigner
    Impacted products
    Vendor Product Version
    Meta tac_plus Affected: 0 , < 4fdf178 (git)
    Create a notification for this product.
    meta tac_plus Affected: 0 , < 4fdf178 (custom)
        cpe:2.3:a:meta:tac_plus:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:19.824Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/tac_plus/pull/41"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/tac_plus/security/advisories/GHSA-p334-5r3g-4vx3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4J7ZYMFZB4G4OU5EDJPQLP6F6RKDGIH/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:meta:tac_plus:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "tac_plus",
                "vendor": "meta",
                "versions": [
                  {
                    "lessThan": "4fdf178",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45239",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T16:12:07.879707Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-790",
                    "description": "CWE-790 Improper Filtering of Special Elements",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T16:18:24.876Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "tac_plus",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "4fdf178",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "dateAssigned": "2023-10-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-790: Improper Filtering of Special Elements",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-09T23:06:16.555Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/facebook/tac_plus/pull/41"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/tac_plus/security/advisories/GHSA-p334-5r3g-4vx3"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4J7ZYMFZB4G4OU5EDJPQLP6F6RKDGIH/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2023-45239",
        "datePublished": "2023-10-06T17:16:16.797Z",
        "dateReserved": "2023-10-05T21:36:59.884Z",
        "dateUpdated": "2025-02-13T17:13:58.340Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-27492 (GCVE-0-2022-27492)

    Vulnerability from nvd – Published: 2022-09-23 14:00 – Updated: 2025-05-22 18:26
    VLAI
    Summary
    An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta WhatsApp Business for iOS Affected: unspecified , < v2.22.15.9 (custom)
    Create a notification for this product.
    Meta WhatsApp for iOS Affected: unspecified , < v2.22.15.9 (custom)
    Create a notification for this product.
    Meta WhatsApp for Android Affected: unspecified , < 2.22.16.2 (custom)
    Create a notification for this product.
    Meta WhatsApp Business for Android Affected: unspecified , < 2.22.16.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:32:57.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.whatsapp.com/security/advisories/2022/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-27492",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T15:47:52.158526Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T18:26:38.922Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WhatsApp Business for iOS",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "v2.22.15.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp for iOS",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "v2.22.15.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp for Android",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp Business for Android",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "dateAssigned": "2022-06-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-23T14:00:14.000Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2022/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-assign@fb.com",
              "DATE_ASSIGNED": "2022-06-28",
              "ID": "CVE-2022-27492",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WhatsApp Business for iOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "v2.22.15.9 "
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp for iOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "v2.22.15.9 "
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp Business for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Meta"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-191"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.whatsapp.com/security/advisories/2022/",
                  "refsource": "CONFIRM",
                  "url": "https://www.whatsapp.com/security/advisories/2022/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2022-27492",
        "datePublished": "2022-09-23T14:00:14.000Z",
        "dateReserved": "2022-03-21T00:00:00.000Z",
        "dateUpdated": "2025-05-22T18:26:38.922Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36934 (GCVE-0-2022-36934)

    Vulnerability from nvd – Published: 2022-09-22 21:30 – Updated: 2025-05-27 16:05
    VLAI
    Summary
    An integer overflow in WhatsApp could result in remote code execution in an established video call.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta WhatsApp for iOS Affected: unspecified , < 2.22.16.12 (custom)
    Create a notification for this product.
    Meta WhatsApp Business for iOS Affected: unspecified , < 2.22.16.12 (custom)
    Create a notification for this product.
    Meta WhatsApp for Android Affected: unspecified , < 2.22.16.12 (custom)
    Create a notification for this product.
    Meta WhatsApp Business for Android Affected: unspecified , < 2.22.16.12 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:21:32.100Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.whatsapp.com/security/advisories/2022/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36934",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-27T16:05:45.458311Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-27T16:05:50.201Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WhatsApp for iOS",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp Business for iOS",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp for Android",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp Business for Android",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "dateAssigned": "2022-07-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An integer overflow in WhatsApp could result in remote code execution in an established video call."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-22T21:30:11.000Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2022/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-assign@fb.com",
              "DATE_ASSIGNED": "2022-07-27",
              "ID": "CVE-2022-36934",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WhatsApp for iOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp Business for iOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp Business for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.12"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Meta"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An integer overflow in WhatsApp could result in remote code execution in an established video call."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-122"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.whatsapp.com/security/advisories/2022/",
                  "refsource": "CONFIRM",
                  "url": "https://www.whatsapp.com/security/advisories/2022/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2022-36934",
        "datePublished": "2022-09-22T21:30:11.000Z",
        "dateReserved": "2022-07-27T00:00:00.000Z",
        "dateUpdated": "2025-05-27T16:05:50.201Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-23870 (GCVE-0-2026-23870)

    Vulnerability from cvelistv5 – Published: 2026-05-06 16:24 – Updated: 2026-05-06 19:06
    VLAI
    Summary
    A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.5 (semver)
    Affected: 19.1.0 , ≤ 19.1.6 (semver)
    Affected: 19.2.0 , ≤ 19.2.5 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.5 (semver)
    Affected: 19.1.0 , ≤ 19.1.6 (semver)
    Affected: 19.2.0 , ≤ 19.2.5 (semver)
    Create a notification for this product.
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.5 (semver)
    Affected: 19.1.0 , ≤ 19.1.6 (semver)
    Affected: 19.2.0 , ≤ 19.2.5 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23870",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T19:03:16.700440Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T19:06:00.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.5",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.6",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.5",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.5",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.6",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.5",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.5",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.6",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.5",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2026-05-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T16:24:55.620Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23870",
        "datePublished": "2026-05-06T16:24:55.620Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-05-06T19:06:00.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23869 (GCVE-0-2026-23869)

    Vulnerability from cvelistv5 – Published: 2026-04-08 19:11 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.4 (semver)
    Affected: 19.1.0 , ≤ 19.1.5 (semver)
    Affected: 19.2.0 , ≤ 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.4 (semver)
    Affected: 19.1.0 , ≤ 19.1.5 (semver)
    Affected: 19.2.0 , ≤ 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.4 (semver)
    Affected: 19.1.0 , ≤ 19.1.5 (semver)
    Affected: 19.2.0 , ≤ 19.2.4 (semver)
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23869",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T19:55:33.314236Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T19:56:22.791Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-08T19:11:08.418Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack. Specially crafted HTTP requests to server function endpoints can result in an excessive consumption of CPU resources for up to a minute, causing an error that is catchable."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:42.728Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-23869"
              },
              {
                "name": "RHBZ#2456663",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456663"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23869.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-08T20:01:00.803Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-08T19:11:08.418Z",
                "value": "Made public."
              }
            ],
            "title": "react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service via specially crafted HTTP requests to Server Function endpoints",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2026-04-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T19:11:08.418Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23869",
        "datePublished": "2026-04-08T19:11:08.418Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-06-30T12:06:42.728Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23864 (GCVE-0-2026-23864)

    Vulnerability from cvelistv5 – Published: 2026-01-26 19:16 – Updated: 2026-07-03 12:04
    VLAI
    Summary
    Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502): Deserialization of Untrusted Data. (CWE-400): Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-1284 - Improper Validation of Specified Quantity in Input
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , < 19.0.4 (semver)
    Affected: 19.1.0 , < 19.1.5 (semver)
    Affected: 19.2.0 , < 19.2.4 (semver)
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 2.9.4     cpe:/a:redhat:amq_streams:2.9::el9
    Create a notification for this product.
    Red Hat Streams for Apache Kafka 3.2.0     cpe:/a:redhat:amq_streams:3.2::el9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23864",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T20:26:03.428817Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-26T20:26:45.709Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2.9::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 2.9.4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Streams for Apache Kafka 3.2.0",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-26T19:16:38.250Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in React Server Components. A remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. This can lead to a Denial of Service (DoS), causing server crashes, out-of-memory exceptions, or excessive CPU usage, thereby impacting the availability of applications."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1284",
                    "description": "Improper Validation of Specified Quantity in Input",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-03T12:04:51.558Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-23864"
              },
              {
                "name": "RHBZ#2433059",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433059"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23864.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34608"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:13571"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:34608: Streams for Apache Kafka 2.9.4"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:13571: Streams for Apache Kafka 3.2.0"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-26T20:01:54.396Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-26T19:16:38.250Z",
                "value": "Made public."
              }
            ],
            "title": "react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "19.0.4",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.1.5",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "19.2.4",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.\n\nThe vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.\n\nStrongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502): Deserialization of Untrusted Data. (CWE-400): Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-26T19:16:38.250Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2026-23864"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2026-23864",
        "datePublished": "2026-01-26T19:16:38.250Z",
        "dateReserved": "2026-01-16T19:49:26.309Z",
        "dateUpdated": "2026-07-03T12:04:51.558Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-67779 (GCVE-0-2025-67779)

    Vulnerability from cvelistv5 – Published: 2025-12-11 23:36 – Updated: 2025-12-12 18:40
    VLAI
    Summary
    It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-parcel Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Meta react-server-dom-webpack Affected: 19.0.2 , ≤ 19.0.2 (semver)
    Affected: 19.1.3 , ≤ 19.1.3 (semver)
    Affected: 19.2.2 , ≤ 19.2.2 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67779",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-12T18:39:24.796538Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-12T18:40:45.863Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.2",
                  "status": "affected",
                  "version": "19.0.2",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.3",
                  "status": "affected",
                  "version": "19.1.3",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.2",
                  "status": "affected",
                  "version": "19.2.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data, (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T23:36:20.699Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-67779"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-67779",
        "datePublished": "2025-12-11T23:36:20.699Z",
        "dateReserved": "2025-12-11T22:58:08.827Z",
        "dateUpdated": "2025-12-12T18:40:45.863Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55184 (GCVE-0-2025-55184)

    Vulnerability from cvelistv5 – Published: 2025-12-11 20:05 – Updated: 2025-12-15 16:37
    VLAI
    Summary
    A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55184",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-15T16:36:27.831763Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-15T16:37:06.708Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/KingHacker353/CVE-2025-55184"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:11:26.262Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55184"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55184",
        "datePublished": "2025-12-11T20:05:01.328Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2025-12-15T16:37:06.708Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55183 (GCVE-0-2025-55183)

    Vulnerability from cvelistv5 – Published: 2025-12-11 20:04 – Updated: 2026-01-07 16:26
    VLAI
    Summary
    An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • (CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.1 (semver)
    Affected: 19.1.0 , ≤ 19.1.2 (semver)
    Affected: 19.2.0 , ≤ 19.2.1 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55183",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-07T16:24:47.971492Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-07T16:26:47.826Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.1",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.2",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.1",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "(CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:09:32.286Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55183"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55183",
        "datePublished": "2025-12-11T20:04:48.655Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2026-01-07T16:26:47.826Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55182 (GCVE-0-2025-55182)

    Vulnerability from cvelistv5 – Published: 2025-12-03 15:40 – Updated: 2026-02-26 16:57
    Summary
    A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Deserialization of Untrusted Data (CWE-502)
    Assigner
    Impacted products
    Vendor Product Version
    Meta react-server-dom-webpack Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Meta react-server-dom-turbopack Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Meta react-server-dom-parcel Affected: 19.0.0 , ≤ 19.0.0 (semver)
    Affected: 19.1.0 , ≤ 19.1.1 (semver)
    Affected: 19.2.0 , ≤ 19.2.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55182",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-06T04:55:43.783137Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2025-12-05",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
                  },
                  "type": "kev"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T16:57:36.794Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "media-coverage"
                ],
                "url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
              },
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2025-12-05T00:00:00.000Z",
                "value": "CVE-2025-55182 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-12-04T17:32:12.884Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
              },
              {
                "url": "https://news.ycombinator.com/item?id=46136026"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-webpack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-turbopack",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "react-server-dom-parcel",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThanOrEqual": "19.0.0",
                  "status": "affected",
                  "version": "19.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.1.1",
                  "status": "affected",
                  "version": "19.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "19.2.0",
                  "status": "affected",
                  "version": "19.2.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "dateAssigned": "2025-12-02T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Deserialization of Untrusted Data (CWE-502)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-11T20:15:37.699Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "Meta"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "Meta",
        "cveId": "CVE-2025-55182",
        "datePublished": "2025-12-03T15:40:56.894Z",
        "dateReserved": "2025-08-08T18:21:47.119Z",
        "dateUpdated": "2026-02-26T16:57:36.794Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-30259 (GCVE-0-2025-30259)

    Vulnerability from cvelistv5 – Published: 2025-03-19 00:00 – Updated: 2025-03-20 20:36 Exclusively Hosted Service
    VLAI KEVIntel
    Summary
    The WhatsApp cloud service before late 2024 did not block certain crafted PDF content that can defeat a sandbox protection mechanism and consequently allow remote access to messaging applications by third parties, as exploited in the wild in 2024 for installation of Android malware associated with BIGPRETZEL.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Meta WhatsApp cloud service Affected: 0 , < late 2024 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30259",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-20T20:35:38.932684Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-20T20:36:29.389Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WhatsApp cloud service",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "late 2024",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WhatsApp cloud service before late 2024 did not block certain crafted PDF content that can defeat a sandbox protection mechanism and consequently allow remote access to messaging applications by third parties, as exploited in the wild in 2024 for installation of Android malware associated with BIGPRETZEL."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-noinfo: Insufficient Information",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-20T00:21:52.401Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.bleepingcomputer.com/news/security/whatsapp-patched-zero-day-flaw-used-in-paragon-spyware-attacks/"
            },
            {
              "url": "https://citizenlab.ca/2025/03/a-first-look-at-paragons-proliferating-spyware-operations/"
            }
          ],
          "tags": [
            "exclusively-hosted-service"
          ],
          "x_generator": {
            "engine": "enrichogram 0.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-30259",
        "datePublished": "2025-03-19T00:00:00.000Z",
        "dateReserved": "2025-03-19T00:00:00.000Z",
        "dateUpdated": "2025-03-20T20:36:29.389Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-49400 (GCVE-0-2024-49400)

    Vulnerability from cvelistv5 – Published: 2024-10-17 17:15 – Updated: 2024-11-01 18:35
    VLAI
    Summary
    Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Permissive Regular Expression (CWE-625)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta Tacquito Affected: 0 , < 07b49d1358e6ec0b5aa482fcd284f509191119e2 (git)
    Create a notification for this product.
    facebook tacquito Affected: 0 , < 07b49d1358e6ec0b5aa482fcd284f509191119e2 (git)
        cpe:2.3:a:facebook:tacquito:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:facebook:tacquito:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "tacquito",
                "vendor": "facebook",
                "versions": [
                  {
                    "lessThan": "07b49d1358e6ec0b5aa482fcd284f509191119e2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "git"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-49400",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-01T18:32:45.694918Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-01T18:35:40.761Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tacquito",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "07b49d1358e6ec0b5aa482fcd284f509191119e2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "dateAssigned": "2024-10-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Permissive Regular Expression (CWE-625)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-17T17:15:17.191Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2024-49400"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2024-49400",
        "datePublished": "2024-10-17T17:15:17.191Z",
        "dateReserved": "2024-10-15T01:05:31.784Z",
        "dateUpdated": "2024-11-01T18:35:40.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-5654 (GCVE-0-2023-5654)

    Vulnerability from cvelistv5 – Published: 2023-10-19 14:28 – Updated: 2024-09-12 14:35
    VLAI
    Summary
    The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL’s via the victim's browser.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    Impacted products
    Credits
    Calum Hutton, Snyk
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:07:32.588Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-5654",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-10T13:31:19.969276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-116",
                    "description": "CWE-116 Improper Encoding or Escaping of Output",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-12T14:35:37.964Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "React Developer Tools Extension",
              "vendor": "Meta",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.28.4"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Calum Hutton, Snyk"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The React Developer Tools extension registers a message listener with window.addEventListener(\u0027message\u0027, \u003clistener\u003e) in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch(). The URL is not validated or sanitised before it is fetched, thus allowing a malicious web page to arbitrarily fetch URL\u2019s via the victim\u0027s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "CWE-285: Improper Authorization",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-19T14:28:23.769Z",
            "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
            "shortName": "snyk"
          },
          "references": [
            {
              "url": "https://gist.github.com/CalumHutton/1fb89b64409570a43f89d1fd3274b231"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "assignerShortName": "snyk",
        "cveId": "CVE-2023-5654",
        "datePublished": "2023-10-19T14:28:23.769Z",
        "dateReserved": "2023-10-19T12:33:43.948Z",
        "dateUpdated": "2024-09-12T14:35:37.964Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45239 (GCVE-0-2023-45239)

    Vulnerability from cvelistv5 – Published: 2023-10-06 17:16 – Updated: 2025-02-13 17:13
    VLAI
    Summary
    A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-790 - Improper Filtering of Special Elements
    Assigner
    Impacted products
    Vendor Product Version
    Meta tac_plus Affected: 0 , < 4fdf178 (git)
    Create a notification for this product.
    meta tac_plus Affected: 0 , < 4fdf178 (custom)
        cpe:2.3:a:meta:tac_plus:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:19.824Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/tac_plus/pull/41"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/tac_plus/security/advisories/GHSA-p334-5r3g-4vx3"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4J7ZYMFZB4G4OU5EDJPQLP6F6RKDGIH/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:meta:tac_plus:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "tac_plus",
                "vendor": "meta",
                "versions": [
                  {
                    "lessThan": "4fdf178",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45239",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T16:12:07.879707Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-790",
                    "description": "CWE-790 Improper Filtering of Special Elements",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T16:18:24.876Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "tac_plus",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "4fdf178",
                  "status": "affected",
                  "version": "0",
                  "versionType": "git"
                }
              ]
            }
          ],
          "dateAssigned": "2023-10-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-790: Improper Filtering of Special Elements",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-09T23:06:16.555Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/facebook/tac_plus/pull/41"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/facebook/tac_plus/security/advisories/GHSA-p334-5r3g-4vx3"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4J7ZYMFZB4G4OU5EDJPQLP6F6RKDGIH/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2023-45239",
        "datePublished": "2023-10-06T17:16:16.797Z",
        "dateReserved": "2023-10-05T21:36:59.884Z",
        "dateUpdated": "2025-02-13T17:13:58.340Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-27492 (GCVE-0-2022-27492)

    Vulnerability from cvelistv5 – Published: 2022-09-23 14:00 – Updated: 2025-05-22 18:26
    VLAI
    Summary
    An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta WhatsApp Business for iOS Affected: unspecified , < v2.22.15.9 (custom)
    Create a notification for this product.
    Meta WhatsApp for iOS Affected: unspecified , < v2.22.15.9 (custom)
    Create a notification for this product.
    Meta WhatsApp for Android Affected: unspecified , < 2.22.16.2 (custom)
    Create a notification for this product.
    Meta WhatsApp Business for Android Affected: unspecified , < 2.22.16.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:32:57.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.whatsapp.com/security/advisories/2022/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-27492",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T15:47:52.158526Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T18:26:38.922Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WhatsApp Business for iOS",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "v2.22.15.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp for iOS",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "v2.22.15.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp for Android",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp Business for Android",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "dateAssigned": "2022-06-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-23T14:00:14.000Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2022/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-assign@fb.com",
              "DATE_ASSIGNED": "2022-06-28",
              "ID": "CVE-2022-27492",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WhatsApp Business for iOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "v2.22.15.9 "
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp for iOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "v2.22.15.9 "
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp Business for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Meta"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-191"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.whatsapp.com/security/advisories/2022/",
                  "refsource": "CONFIRM",
                  "url": "https://www.whatsapp.com/security/advisories/2022/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2022-27492",
        "datePublished": "2022-09-23T14:00:14.000Z",
        "dateReserved": "2022-03-21T00:00:00.000Z",
        "dateUpdated": "2025-05-22T18:26:38.922Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36934 (GCVE-0-2022-36934)

    Vulnerability from cvelistv5 – Published: 2022-09-22 21:30 – Updated: 2025-05-27 16:05
    VLAI
    Summary
    An integer overflow in WhatsApp could result in remote code execution in an established video call.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Meta WhatsApp for iOS Affected: unspecified , < 2.22.16.12 (custom)
    Create a notification for this product.
    Meta WhatsApp Business for iOS Affected: unspecified , < 2.22.16.12 (custom)
    Create a notification for this product.
    Meta WhatsApp for Android Affected: unspecified , < 2.22.16.12 (custom)
    Create a notification for this product.
    Meta WhatsApp Business for Android Affected: unspecified , < 2.22.16.12 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:21:32.100Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.whatsapp.com/security/advisories/2022/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36934",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-27T16:05:45.458311Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-27T16:05:50.201Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WhatsApp for iOS",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp Business for iOS",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp for Android",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "WhatsApp Business for Android",
              "vendor": "Meta",
              "versions": [
                {
                  "lessThan": "2.22.16.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "dateAssigned": "2022-07-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An integer overflow in WhatsApp could result in remote code execution in an established video call."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-09-22T21:30:11.000Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.whatsapp.com/security/advisories/2022/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-assign@fb.com",
              "DATE_ASSIGNED": "2022-07-27",
              "ID": "CVE-2022-36934",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WhatsApp for iOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp Business for iOS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "WhatsApp Business for Android",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.22.16.12"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Meta"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An integer overflow in WhatsApp could result in remote code execution in an established video call."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-122"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.whatsapp.com/security/advisories/2022/",
                  "refsource": "CONFIRM",
                  "url": "https://www.whatsapp.com/security/advisories/2022/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2022-36934",
        "datePublished": "2022-09-22T21:30:11.000Z",
        "dateReserved": "2022-07-27T00:00:00.000Z",
        "dateUpdated": "2025-05-27T16:05:50.201Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CERTFR-2025-ALE-014

    Vulnerability from certfr_alerte - Published: 2025-12-05 - Updated: 2026-02-12

    [Mise à jour du 11 décembre 2025]

    Le CERT-FR a connaissance de multiples exploitations de la vulnérabilité CVE-2025-55182. Les serveurs avec une version vulnérable exposés après la publication des preuves de concept publiques du 5 décembre 2025 doivent être considérés comme compromis.

    Certains billets de blogues [1] [2] incluent des indicateurs de compromission. Ces indicateurs n'ont pas été qualifiés par le CERT-FR.

    [Mise à jour du 08 décembre 2025]

    Le CERT-FR a connaissance d'exploitations pour la vulnérabilité CVE-2025-55182.

    [Publication initiale]

    Le 3 décembre 2025, React a publié un avis de sécurité relatif à la vulnérabilité CVE-2025-55182 affectant React Server Components et qui permet à un attaquant non authentifié de provoquer une exécution de code arbitraire à distance. L'éditeur de Next.js a également publié un avis de sécurité faisant référence à l'identifiant CVE-2025-66478. Cet identifiant a été rejeté en raison du doublon avec l'identifiant utilisé par React. Cette faille de sécurité est également connue sous le nom de React2Shell.

    Cette vulnérabilité concerne plus précisément les React Server Functions. Même si une application n'utilise pas explicitement de telles fonctions, elle peut être vulnérable si elle supporte les React Server Components. En particulier, plusieurs cadriciels tels que Next.js implémentent de telles fonctions par défaut.

    Les technologies React Server Components et React Server Functions sont relativement récentes (la version 19 de React a été publiée fin 2024) et toutes les applications utilisant la technologie React ne sont ainsi pas nécessairement affectées. Veuillez vous référer à la section systèmes affectés pour plus d'informations.

    Le CERT-FR a connaissance de preuves de concept publiques pour cette vulnérabilité et anticipe des exploitations en masse.

    Note : Le CERT-FR a connaissance de la mise en place de règles de blocages de la vulnérabilité au niveau de plusieurs pare-feu applicatifs web populaires. Bien que ces mécanismes puissent rendre l'exploitation de la vulnérabilité plus difficile, ils ne peuvent pas remplacer une mise à jour vers une version corrective.

    Solutions

    Le CERT-FR recommande de mettre à jour au plus vite les composants vers les versions correctives listées dans les avis éditeurs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    N/A N/A Expo sans les versions correctives de react-server-dom-webpack
    N/A N/A Redwood SDK versions antérieures à 1.0.0-alpha.0
    Vercel Next.js Next.js versions 15.0.x antérieures à 15.0.5
    N/A N/A Waku sans les versions correctives de react-server-dom-webpack
    Vercel Next.js Next.js versions 15.1.x antérieures à 15.1.9
    Vercel Next.js Next.js versions 15.5.x antérieures à 15.5.7
    Meta React react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.2.x antérieures à 19.2.1
    Vercel Next.js Next.js versions 14.x canary
    Vercel Next.js Next.js versions 15.3.x antérieures à 15.3.6
    N/A N/A React router avec le support de l'API RSC sans les derniers correctifs de sécurité
    Meta React react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.0.x antérieures à 19.0.1
    Vercel Next.js Next.js versions 15.4.x antérieures à 15.4.8
    Meta React react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.1.x antérieures à 19.1.2
    Vercel Next.js Next.js versions 16.0.x antérieures à 16.0.7
    N/A N/A Vitejs avec le greffon plugin-rsc sans les derniers correctifs de sécurité
    Vercel Next.js Next.js versions 15.2.x antérieures à 15.2.6

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Expo sans les versions correctives de react-server-dom-webpack",
          "product": {
            "name": "N/A",
            "vendor": {
              "name": "N/A",
              "scada": false
            }
          }
        },
        {
          "description": "Redwood SDK versions ant\u00e9rieures \u00e0 1.0.0-alpha.0",
          "product": {
            "name": "N/A",
            "vendor": {
              "name": "N/A",
              "scada": false
            }
          }
        },
        {
          "description": "Next.js versions 15.0.x ant\u00e9rieures \u00e0 15.0.5",
          "product": {
            "name": "Next.js",
            "vendor": {
              "name": "Vercel",
              "scada": true
            }
          }
        },
        {
          "description": "Waku sans les versions correctives de react-server-dom-webpack",
          "product": {
            "name": "N/A",
            "vendor": {
              "name": "N/A",
              "scada": false
            }
          }
        },
        {
          "description": "Next.js versions 15.1.x ant\u00e9rieures \u00e0 15.1.9",
          "product": {
            "name": "Next.js",
            "vendor": {
              "name": "Vercel",
              "scada": true
            }
          }
        },
        {
          "description": "Next.js versions 15.5.x ant\u00e9rieures \u00e0 15.5.7",
          "product": {
            "name": "Next.js",
            "vendor": {
              "name": "Vercel",
              "scada": true
            }
          }
        },
        {
          "description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.2.x ant\u00e9rieures \u00e0 19.2.1",
          "product": {
            "name": "React",
            "vendor": {
              "name": "Meta",
              "scada": false
            }
          }
        },
        {
          "description": "Next.js versions 14.x canary",
          "product": {
            "name": "Next.js",
            "vendor": {
              "name": "Vercel",
              "scada": true
            }
          }
        },
        {
          "description": "Next.js versions 15.3.x ant\u00e9rieures \u00e0 15.3.6",
          "product": {
            "name": "Next.js",
            "vendor": {
              "name": "Vercel",
              "scada": true
            }
          }
        },
        {
          "description": "React router avec le support de l\u0027API RSC sans les derniers correctifs de s\u00e9curit\u00e9",
          "product": {
            "name": "N/A",
            "vendor": {
              "name": "N/A",
              "scada": false
            }
          }
        },
        {
          "description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.0.x ant\u00e9rieures \u00e0 19.0.1",
          "product": {
            "name": "React",
            "vendor": {
              "name": "Meta",
              "scada": false
            }
          }
        },
        {
          "description": "Next.js versions 15.4.x ant\u00e9rieures \u00e0 15.4.8",
          "product": {
            "name": "Next.js",
            "vendor": {
              "name": "Vercel",
              "scada": true
            }
          }
        },
        {
          "description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.1.x ant\u00e9rieures \u00e0 19.1.2",
          "product": {
            "name": "React",
            "vendor": {
              "name": "Meta",
              "scada": false
            }
          }
        },
        {
          "description": "Next.js versions 16.0.x ant\u00e9rieures \u00e0 16.0.7",
          "product": {
            "name": "Next.js",
            "vendor": {
              "name": "Vercel",
              "scada": true
            }
          }
        },
        {
          "description": "Vitejs avec le greffon plugin-rsc sans les derniers correctifs de s\u00e9curit\u00e9",
          "product": {
            "name": "N/A",
            "vendor": {
              "name": "N/A",
              "scada": false
            }
          }
        },
        {
          "description": "Next.js versions 15.2.x ant\u00e9rieures \u00e0 15.2.6",
          "product": {
            "name": "Next.js",
            "vendor": {
              "name": "Vercel",
              "scada": true
            }
          }
        }
      ],
      "affected_systems_content": "",
      "closed_at": "2026-02-12",
      "content": "## Solutions\n\nLe CERT-FR recommande de mettre \u00e0 jour au plus vite les composants vers les versions correctives list\u00e9es dans les avis \u00e9diteurs (cf. section Documentation). ",
      "cves": [
        {
          "name": "CVE-2025-55182",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-55182"
        },
        {
          "name": "CVE-2025-66478",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-66478"
        }
      ],
      "initial_release_date": "2025-12-05T00:00:00",
      "last_revision_date": "2026-02-12T00:00:00",
      "links": [
        {
          "title": "[2] Billet de Blogue de Huntress, analyse et indicateurs de compromission",
          "url": "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell"
        },
        {
          "title": "Bulletin d\u0027actualit\u00e9 CERTFR-2025-ACT-053 du 04 d\u00e9cembre 2025",
          "url": "https://cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-053/"
        },
        {
          "title": "[1] Billet de Blogue de Wiz.io, analyse et indicateurs de compromission ",
          "url": "https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive"
        },
        {
          "title": "Compromission syst\u00e8me - Qualification",
          "url": "https://www.cert.ssi.gouv.fr/fiche/CERTFR-2024-RFX-005/"
        },
        {
          "title": "Compromission syst\u00e8me - Endiguement",
          "url": "https://www.cert.ssi.gouv.fr/fiche/CERTFR-2024-RFX-006/"
        }
      ],
      "reference": "CERTFR-2025-ALE-014",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2025-12-05T00:00:00.000000"
        },
        {
          "description": "Recherche de compromission, r\u00e9f\u00e9rences des fiches syst\u00e8me de qualification et endiguement",
          "revision_date": "2025-12-11T00:00:00.000000"
        },
        {
          "description": "connaissance d\u0027exploitations pour la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
          "revision_date": "2025-12-08T00:00:00.000000"
        },
        {
          "description": "     Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
          "revision_date": "2026-02-12T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        }
      ],
      "summary": "**\u003cspan class=\"important-content\"\u003e[Mise \u00e0 jour du 11 d\u00e9cembre 2025]\u003c/span\u003e**\n\nLe CERT-FR a connaissance de multiples exploitations de la vuln\u00e9rabilit\u00e9 CVE-2025-55182. Les serveurs avec une version vuln\u00e9rable expos\u00e9s apr\u00e8s la publication des preuves de concept publiques du 5 d\u00e9cembre 2025 doivent \u00eatre consid\u00e9r\u00e9s comme compromis.\n\nCertains billets de blogues [1] [2] incluent des indicateurs de compromission. Ces indicateurs n\u0027ont pas \u00e9t\u00e9 qualifi\u00e9s par le CERT-FR.\n\n\n**[Mise \u00e0 jour du 08 d\u00e9cembre 2025]**\n\nLe CERT-FR a connaissance d\u0027exploitations pour la vuln\u00e9rabilit\u00e9 CVE-2025-55182.\n\n**[Publication initiale]**\n\nLe 3 d\u00e9cembre 2025, React a publi\u00e9 un avis de s\u00e9curit\u00e9 relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182 affectant React Server Components et qui permet \u00e0 un attaquant non authentifi\u00e9 de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance. L\u0027\u00e9diteur de Next.js a \u00e9galement publi\u00e9 un avis de s\u00e9curit\u00e9 faisant r\u00e9f\u00e9rence \u00e0 l\u0027identifiant CVE-2025-66478. Cet identifiant a \u00e9t\u00e9 rejet\u00e9 en raison du doublon avec l\u0027identifiant utilis\u00e9 par React. Cette faille de s\u00e9curit\u00e9 est \u00e9galement connue sous le nom de *React2Shell*. \n\nCette vuln\u00e9rabilit\u00e9 concerne plus pr\u00e9cis\u00e9ment les React Server Functions. M\u00eame si une application n\u0027utilise pas explicitement de telles fonctions, elle peut \u00eatre vuln\u00e9rable si elle supporte les React Server Components. En particulier, plusieurs cadriciels tels que Next.js impl\u00e9mentent de telles fonctions par d\u00e9faut. \n\nLes technologies React Server Components et React Server Functions sont relativement r\u00e9centes (la version 19 de React a \u00e9t\u00e9 publi\u00e9e fin 2024) et toutes les applications utilisant la technologie React ne sont ainsi pas n\u00e9cessairement affect\u00e9es. Veuillez vous r\u00e9f\u00e9rer \u00e0 la section syst\u00e8mes affect\u00e9s pour plus d\u0027informations.\n\nLe CERT-FR a connaissance de preuves de concept publiques pour cette vuln\u00e9rabilit\u00e9 et anticipe des exploitations en masse.\n\n*Note : Le CERT-FR a connaissance de la mise en place de r\u00e8gles de blocages de la vuln\u00e9rabilit\u00e9 au niveau de plusieurs pare-feu applicatifs web populaires. Bien que ces m\u00e9canismes puissent rendre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 plus difficile, ils ne peuvent pas remplacer une mise \u00e0 jour vers une version corrective.* ",
      "title": "[M\u00e0J] Vuln\u00e9rabilit\u00e9 dans React Server Components",
      "vendor_advisories": [
        {
          "published_at": "2025-12-03",
          "title": "Billet de blogue React relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
          "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
        },
        {
          "published_at": "2025-12-03",
          "title": "Billet de blogue Vercel relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
          "url": "https://vercel.com/changelog/cve-2025-55182"
        },
        {
          "published_at": "2025-12-03",
          "title": "Bulletin de s\u00e9curit\u00e9 Facebook CVE-2025-55182",
          "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
        }
      ]
    }