React — CVE history (npm)
React
6 CVEs affect the React npm package (highest CVSS 10.0). 1 on CISA's Known Exploited Vulnerabilities catalog. Latest disclosed: 2026-01-26. Full CVE history sourced from NVD.
Summary
- Package
React (npm)- Total CVEs
6- Actively exploited (CISA KEV)
- 1
- Highest CVSS
10.0- Latest disclosed
- 2026-01-26
Recent CVEs (top 6)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2026-23864 | High | 7.5 | — | 2026-01-26 | Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. |
CVE-2025-67779 | High | 7.5 | — | 2025-12-12 | It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. |
CVE-2025-55184 | High | 7.5 | — | 2025-12-11 | A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack… |
CVE-2025-55183 | Medium | 5.3 | — | 2025-12-11 | An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-t… |
CVE-2025-55182 | Critical | 10.0 | KEV | 2025-12-03 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-… |
CVE-2018-6341 | Medium | 6.1 | — | 2018-12-31 | React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. |
All-time worst (top 6 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2025-55182 | Critical | 10.0 | KEV | 2025-12-03 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-… |
CVE-2026-23864 | High | 7.5 | — | 2026-01-26 | Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. |
CVE-2025-67779 | High | 7.5 | — | 2025-12-12 | It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. |
CVE-2025-55184 | High | 7.5 | — | 2025-12-11 | A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack… |
CVE-2018-6341 | Medium | 6.1 | — | 2018-12-31 | React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. |
CVE-2025-55183 | Medium | 5.3 | — | 2025-12-11 | An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-t… |
Actively exploited (CISA KEV — 1)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2025-55182 | Critical | 10.0 | KEV | 2025-12-03 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-… |