Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

react

Source -

CNANVD

CNA CVEs -

1

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

5
Related CVEsRelated VendorsRelated AssignersReports
6Vulnerabilities found
CVE-2026-42349
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.05% / 15.54%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 16:08
Updated-01 Jun, 2026 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Clerk: Authorization bypass when combining organization, billing, or reverification checks

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

Action-Not Available
Vendor-clerk@clerkclerk
Product-clerk\/clerk-expoclerk\/nuxtclerk\/astroclerk\/honoclerk\/chrome-extensionclerk\/clerk-reactclerk\/expoclerk\/clerk-jsclerk\/vueclerk\/nextjsclerk\/backendclerk\/react-routerclerk\/reactclerk\/fastifyclerk\/tanstack-react-startclerk\/expressclerk\/sharedastrobackendsharedreacthonoclerk-expoclerk-reactnuxtchrome-extensionfastifytanstack-react-startjavascriptexpressreact-routerexpovuenextjs
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-67779
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-1.65% / 82.35%
||
7 Day CHG~0.00%
Published-11 Dec, 2025 | 23:36
Updated-12 Dec, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Action-Not Available
Vendor-vercelMeta Platforms, Inc.Facebook
Product-next.jsreactreact-server-dom-webpackreact-server-dom-turbopackreact-server-dom-parcel
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-55184
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-41.24% / 97.48%
||
7 Day CHG~0.00%
Published-11 Dec, 2025 | 20:05
Updated-15 Dec, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Action-Not Available
Vendor-vercelMeta Platforms, Inc.Facebook
Product-reactnext.jsreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-55183
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-5.3||MEDIUM
EPSS-26.31% / 96.42%
||
7 Day CHG~0.00%
Published-11 Dec, 2025 | 20:04
Updated-07 Jan, 2026 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Action-Not Available
Vendor-vercelMeta Platforms, Inc.Facebook
Product-next.jsreactreact-server-dom-parcelreact-server-dom-webpackreact-server-dom-turbopack
CVE-2025-55182
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-10||CRITICAL
EPSS-83.20% / 99.28%
||
7 Day CHG+1.19%
Published-03 Dec, 2025 | 15:40
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-12-12||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Action-Not Available
Vendor-vercelMetaMeta Platforms, Inc.Facebook
Product-reactnext.jsreact-server-dom-webpackreact-server-dom-turbopackreact-server-dom-parcelReact Server Components
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2018-6341
Assigner-Meta Platforms, Inc.
ShareView Details
Assigner-Meta Platforms, Inc.
CVSS Score-6.1||MEDIUM
EPSS-10.07% / 93.23%
||
7 Day CHG~0.00%
Published-31 Dec, 2018 | 22:00
Updated-06 May, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Action-Not Available
Vendor-Facebook
Product-reactreact-dom
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')