react-server-dom-turbopack (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package react-server-dom-turbopack, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2025-55184 — CVSS 7.5 (high): A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2…
CVE-2025-67779 — CVSS 7.5 (high): It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service…
CVE-2026-23870 — CVSS 7.5 (high): A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could…
CVE-2026-23864 — CVSS 7.5 (high): Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel…
CVE-2026-23869 — CVSS 7.5 (high): A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel…
CVE-2025-55183 — CVSS 5.3 (medium): An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1…