A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:HI:HA:H10/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H