React — CVE history (npm)

React

6 CVEs affect the React npm package (highest CVSS 10.0). 1 on CISA's Known Exploited Vulnerabilities catalog. Latest disclosed: 2026-01-26. Full CVE history sourced from NVD.

Summary

Package
React (npm)
Total CVEs
6
Actively exploited (CISA KEV)
1
Highest CVSS
10.0
Latest disclosed
2026-01-26

Recent CVEs (top 6)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23864High7.52026-01-26Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
CVE-2025-67779High7.52025-12-12It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.
CVE-2025-55184High7.52025-12-11A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack…
CVE-2025-55183Medium5.32025-12-11An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-t…
CVE-2025-55182Critical10.0KEV2025-12-03A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-…
CVE-2018-6341Medium6.12018-12-31React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time.

All-time worst (top 6 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55182Critical10.0KEV2025-12-03A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-…
CVE-2026-23864High7.52026-01-26Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
CVE-2025-67779High7.52025-12-12It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.
CVE-2025-55184High7.52025-12-11A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack…
CVE-2018-6341Medium6.12018-12-31React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time.
CVE-2025-55183Medium5.32025-12-11An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-t…

Actively exploited (CISA KEV — 1)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55182Critical10.0KEV2025-12-03A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-…