Shared security patch analysis results
AI Used: deepseek deepseek-chat--- cache/react_v19.2.0/ReactVersions.js 2025-12-04 09:13:53.120145794 +0000+++ cache/react_v19.2.1/ReactVersions.js 2025-12-04 09:13:55.360289695 +0000@@ -7,18 +7,18 @@ // // The @latest channel uses the version as-is, e.g.: //-// 19.2.0+// 19.2.1 // // The @canary channel appends additional information, with the scheme // <version>-<label>-<commit_sha>, e.g.: //-// 19.2.0-canary-a1c2d3e4+// 19.2.1-canary-a1c2d3e4 // // The @experimental channel doesn't include a version, only a date and a sha, e.g.: // // 0.0.0-experimental-241c4467e-20200129 -const ReactVersion = '19.2.0';+const ReactVersion = '19.2.1'; // The label used by the @canary channel. Represents the upcoming release's // stability. Most of the time, this will be "canary", but we may temporarily
Vulnerability Existed: no No specific CWE - N/A - ReactVersions.js Lines 7, 12, 16 Old Code: // 19.2.0 // 19.2.0-canary-a1c2d3e4 const ReactVersion = '19.2.0'; Fixed Code: // 19.2.1 // 19.2.1-canary-a1c2d3e4 const ReactVersion = '19.2.1'; Explanation: This diff only updates version numbers from 19.2.0 to 19.2.1 in comments and a constant string. There are no security-related changes, bug fixes, or vulnerability patches visible in this diff. This appears to be a routine version bump for a new release.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/package.json 2025-12-04 09:13:53.444166608 +0000+++ cache/react_v19.2.1/package.json 2025-12-04 09:13:55.884323358 +0000@@ -123,7 +123,7 @@ "scripts": { "prebuild": "./scripts/react-compiler/link-compiler.sh", "build": "node ./scripts/rollup/build-all-release-channels.js",- "build-for-devtools": "cross-env RELEASE_CHANNEL=experimental yarn build react/index,react/jsx,react/compiler-runtime,react-dom/index,react-dom/client,react-dom/unstable_testing,react-dom/test-utils,react-is,react-debug-tools,scheduler,react-test-renderer,react-refresh,react-art --type=NODE",+ "build-for-devtools": "cross-env yarn build react/index,react/jsx,react/compiler-runtime,react-dom/index,react-dom/client,react-dom/unstable_testing,react-dom/test-utils,react-is,react-debug-tools,scheduler,react-test-renderer,react-refresh,react-art --type=NODE --release-channel=experimental", "build-for-devtools-dev": "yarn build-for-devtools --type=NODE_DEV", "build-for-devtools-prod": "yarn build-for-devtools --type=NODE_PROD", "build-for-flight-dev": "cross-env RELEASE_CHANNEL=experimental node ./scripts/rollup/build.js react/index,react/jsx,react.react-server,react-dom/index,react-dom/client,react-dom/server,react-dom.react-server,react-dom-server.node,react-dom-server-legacy.node,scheduler,react-server-dom-webpack/ --type=NODE_DEV,ESM_PROD,NODE_ES2015 && mv ./build/node_modules ./build/oss-experimental",
Vulnerability Existed: no CWE Name: N/A - CWE ID: N/A - File: package.json Lines: 126 Old Code: `"build-for-devtools": "cross-env RELEASE_CHANNEL=experimental yarn build react/index,react/jsx,react/compiler-runtime,react-dom/index,react-dom/client,react-dom/unstable_testing,react-dom/test-utils,react-is,react-debug-tools,scheduler,react-test-renderer,react-refresh,react-art --type=NODE",` Fixed Code: `"build-for-devtools": "cross-env yarn build react/index,react/jsx,react/compiler-runtime,react-dom/index,react-dom/client,react-dom/unstable_testing,react-dom/test-utils,react-is,react-debug-tools,scheduler,react-test-renderer,react-refresh,react-art --type=NODE --release-channel=experimental",` Explanation: This change only modifies how the `RELEASE_CHANNEL` environment variable is passed to the build script. The old code used `cross-env RELEASE_CHANNEL=experimental` to set an environment variable, while the new code moves this configuration to a command-line argument `--release-channel=experimental`. This is a build process adjustment with no security implications, as it doesn't affect runtime behavior, input validation, or introduce any known vulnerability patterns.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-art/package.json 2025-12-04 09:13:53.452167122 +0000+++ cache/react_v19.2.1/packages/react-art/package.json 2025-12-04 09:13:55.896324129 +0000@@ -1,7 +1,7 @@ { "name": "react-art", "description": "React ART is a JavaScript library for drawing vector graphics using React. It provides declarative and reactive bindings to the ART library. Using the same declarative API you can render the output to either Canvas, SVG or VML (IE8).",- "version": "19.2.0",+ "version": "19.2.1", "main": "index.js", "repository": { "type": "git",@@ -27,7 +27,7 @@ "scheduler": "^0.27.0" }, "peerDependencies": {- "react": "^19.2.0"+ "react": "^19.2.1" }, "files": [ "LICENSE",
Vulnerability Existed: no CWE Name - CWE ID - File packages/react-art/package.json Lines 1-1, 27-27 Old Code "version": "19.2.0", "react": "^19.2.0" Fixed Code "version": "19.2.1", "react": "^19.2.1" Explanation: The diff only updates the version number of the package and its peer dependency on React. This is a routine version bump and does not indicate any security vulnerability fix. No changes to code logic, dependencies, or configuration that could introduce or mitigate a security issue are present.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-dom-bindings/package.json 2025-12-04 09:13:53.520171490 +0000+++ cache/react_v19.2.1/packages/react-dom-bindings/package.json 2025-12-04 09:13:56.020332095 +0000@@ -1,7 +1,7 @@ { "name": "react-dom-bindings", "description": "React implementation details for react-dom.",- "version": "19.2.0",+ "version": "19.2.1", "private": true, "main": "index.js", "repository": {
Vulnerability Existed: no N/A - N/A - packages/react-dom-bindings/package.json 1-1 Old Code: "version": "19.2.0", Fixed Code: "version": "19.2.1", Explanation: This change only updates the version number in the package.json file. There is no modification to the source code, dependencies, or configuration that could introduce or fix a security vulnerability. Version bumps are routine for releases and do not inherently indicate a security fix.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-dom/package.json 2025-12-04 09:13:53.532172261 +0000+++ cache/react_v19.2.1/packages/react-dom/package.json 2025-12-04 09:13:56.040333380 +0000@@ -1,6 +1,6 @@ { "name": "react-dom",- "version": "19.2.0",+ "version": "19.2.1", "description": "React package for working with the DOM.", "main": "index.js", "repository": {@@ -20,7 +20,7 @@ "scheduler": "^0.27.0" }, "peerDependencies": {- "react": "^19.2.0"+ "react": "^19.2.1" }, "files": [ "LICENSE",
Vulnerability Existed: no
No specific CWE - N/A - packages/react-dom/package.json [Lines 1-20]
Old Code:
```json
"version": "19.2.0",
"peerDependencies": {
"react": "^19.2.0"
}
```
Fixed Code:
```json
"version": "19.2.1",
"peerDependencies": {
"react": "^19.2.1"
}
```
Explanation:
The changes are version updates only (from 19.2.0 to 19.2.1) for the package itself and its peer dependency. There is no modification to security-related configurations, dependencies, or scripts that would indicate a security vulnerability fix. This appears to be a routine version bump.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-is/package.json 2025-12-04 09:13:53.556173803 +0000+++ cache/react_v19.2.1/packages/react-is/package.json 2025-12-04 09:13:56.088336463 +0000@@ -1,6 +1,6 @@ { "name": "react-is",- "version": "19.2.0",+ "version": "19.2.1", "description": "Brand checking of React Elements.", "main": "index.js", "sideEffects": false,
Vulnerability Existed: no No specific CWE - N/A - packages/react-is/package.json lines 1-1 Old Code: "version": "19.2.0", Fixed Code: "version": "19.2.1", Explanation: The diff only shows a version number update from 19.2.0 to 19.2.1 in the package.json file. This change alone does not indicate any security vulnerability fix; it is a routine version bump. No code changes that could introduce or fix security issues are present in this diff.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-markup/package.json 2025-12-04 09:13:53.560174060 +0000+++ cache/react_v19.2.1/packages/react-markup/package.json 2025-12-04 09:13:56.088336463 +0000@@ -1,6 +1,6 @@ { "name": "react-markup",- "version": "19.2.0",+ "version": "19.2.1", "description": "React package generating embedded markup such as e-mails with support for Server Components.", "main": "index.js", "repository": {
Vulnerability Existed: no
CWE Name: No vulnerability identified - N/A - File packages/react-markup/package.json Lines 1-6
Old Code:
```json
{
"name": "react-markup",
"version": "19.2.0",
"description": "React package generating embedded markup such as e-mails with support for Server Components.",
"main": "index.js",
"repository": {
```
Fixed Code:
```json
{
"name": "react-markup",
"version": "19.2.1",
"description": "React package generating embedded markup such as e-mails with support for Server Components.",
"main": "index.js",
"repository": {
```
Explanation:
The diff only updates the version number from 19.2.0 to 19.2.1, which is a typical version bump for a patch release. No changes to dependencies, scripts, or other fields that could introduce or fix security vulnerabilities are present in this diff. Therefore, no security vulnerability is indicated by this change.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-reconciler/package.json 2025-12-04 09:13:53.568174574 +0000+++ cache/react_v19.2.1/packages/react-reconciler/package.json 2025-12-04 09:13:56.104337491 +0000@@ -26,7 +26,7 @@ "node": ">=0.10.0" }, "peerDependencies": {- "react": "^19.2.0"+ "react": "^19.2.1" }, "dependencies": { "scheduler": "^0.27.0"
Vulnerability Existed: no
CWE Name - CWE ID - File packages/react-reconciler/package.json Lines 26-26
Old Code:
"react": "^19.2.0"
Fixed Code:
"react": "^19.2.1"
Explanation:
This change updates the peer dependency version of the `react` package from `^19.2.0` to `^19.2.1`. This is a version bump that likely aligns with a patch release of React. There is no indication of a security vulnerability being fixed in this diff; it is a routine dependency update. The change does not introduce or mitigate any known security weakness, as it only modifies the version constraint.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-esm/package.json 2025-12-04 09:13:53.596176372 +0000+++ cache/react_v19.2.1/packages/react-server-dom-esm/package.json 2025-12-04 09:13:56.140339804 +0000@@ -1,7 +1,7 @@ { "name": "react-server-dom-esm", "description": "React Server Components bindings for DOM using ESM. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.",- "version": "19.2.0",+ "version": "19.2.1", "keywords": [ "react" ],
Vulnerability Existed: no CWE Name - CWE ID - File packages/react-server-dom-esm/package.json Lines 1-7 Old Code: ```json "version": "19.2.0", ``` Fixed Code: ```json "version": "19.2.1", ``` Explanation: This change only updates the version number from 19.2.0 to 19.2.1. Version bumps in package.json files are routine maintenance updates and do not indicate a security vulnerability fix. There are no code changes, dependency updates, or configuration modifications that would suggest a security issue was addressed.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-esm/src/server/ReactFlightDOMServerNode.js 2025-12-04 09:13:53.596176372 +0000+++ cache/react_v19.2.1/packages/react-server-dom-esm/src/server/ReactFlightDOMServerNode.js 2025-12-04 09:13:56.144340061 +0000@@ -348,16 +348,23 @@ // we queue any fields we receive until the previous file is done. queuedFields.push(name, value); } else {- resolveField(response, name, value);+ try {+ resolveField(response, name, value);+ } catch (error) {+ busboyStream.destroy(error);+ } } }); busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => { if (encoding.toLowerCase() === 'base64') {- throw new Error(- "React doesn't accept base64 encoded file uploads because we don't expect " +- "form data passed from a browser to ever encode data that way. If that's " +- 'the wrong assumption, we can easily fix it.',+ busboyStream.destroy(+ new Error(+ "React doesn't accept base64 encoded file uploads because we don't expect " ++ "form data passed from a browser to ever encode data that way. If that's " ++ 'the wrong assumption, we can easily fix it.',+ ), );+ return; } pendingFiles++; const file = resolveFileInfo(response, name, filename, mimeType);@@ -365,14 +372,18 @@ resolveFileChunk(response, file, chunk); }); value.on('end', () => {- resolveFileComplete(response, name, file);- pendingFiles--;- if (pendingFiles === 0) {- // Release any queued fields- for (let i = 0; i < queuedFields.length; i += 2) {- resolveField(response, queuedFields[i], queuedFields[i + 1]);+ try {+ resolveFileComplete(response, name, file);+ pendingFiles--;+ if (pendingFiles === 0) {+ // Release any queued fields+ for (let i = 0; i < queuedFields.length; i += 2) {+ resolveField(response, queuedFields[i], queuedFields[i + 1]);+ }+ queuedFields.length = 0; }- queuedFields.length = 0;+ } catch (error) {+ busboyStream.destroy(error); } }); });
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248 - Uncaught Exception - packages/react-server-dom-esm/src/server/ReactFlightDOMServerNode.js [348-372]
Old Code:
```javascript
busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => {
if (encoding.toLowerCase() === 'base64') {
throw new Error(
"React doesn't accept base64 encoded file uploads because we don't expect " +
"form data passed from a browser to ever encode data that way. If that's " +
'the wrong assumption, we can easily fix it.',
);
}
```
Fixed Code:
```javascript
busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => {
if (encoding.toLowerCase() === 'base64') {
busboyStream.destroy(
new Error(
"React doesn't accept base64 encoded file uploads because we don't expect " +
"form data passed from a browser to ever encode data that way. If that's " +
'the wrong assumption, we can easily fix it.',
),
);
return;
}
```
Explanation:
The old code threw an uncaught exception synchronously inside an event handler, which could crash the Node.js process or leave the stream in an inconsistent state. The fix replaces the `throw` with `busboyStream.destroy(error)` and returns early, ensuring the error is properly propagated and handled without an unhandled exception.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248 - Uncaught Exception - packages/react-server-dom-esm/src/server/ReactFlightDOMServerNode.js [348-372]
Old Code:
```javascript
busboyStream.on('field', (name, value) => {
if (pendingFiles > 0) {
// we queue any fields we receive until the previous file is done.
queuedFields.push(name, value);
} else {
resolveField(response, name, value);
}
});
```
Fixed Code:
```javascript
busboyStream.on('field', (name, value) => {
if (pendingFiles > 0) {
// we queue any fields we receive until the previous file is done.
queuedFields.push(name, value);
} else {
try {
resolveField(response, name, value);
} catch (error) {
busboyStream.destroy(error);
}
}
});
```
Explanation:
The old code called `resolveField` without error handling, which could lead to an uncaught exception if `resolveField` throws. The fix wraps the call in a try-catch block and destroys the stream with the error, preventing an unhandled exception that could crash the server or cause undefined behavior.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248 - Uncaught Exception - packages/react-server-dom-esm/src/server/ReactFlightDOMServerNode.js [348-372]
Old Code:
```javascript
value.on('end', () => {
resolveFileComplete(response, name, file);
pendingFiles--;
if (pendingFiles === 0) {
// Release any queued fields
for (let i = 0; i < queuedFields.length; i += 2) {
resolveField(response, queuedFields[i], queuedFields[i + 1]);
}
queuedFields.length = 0;
}
});
```
Fixed Code:
```javascript
value.on('end', () => {
try {
resolveFileComplete(response, name, file);
pendingFiles--;
if (pendingFiles === 0) {
// Release any queued fields
for (let i = 0; i < queuedFields.length; i += 2) {
resolveField(response, queuedFields[i], queuedFields[i + 1]);
}
queuedFields.length = 0;
}
} catch (error) {
busboyStream.destroy(error);
}
});
```
Explanation:
The old code executed `resolveFileComplete` and a loop over `queuedFields` without error handling. If any of these operations threw an exception, it would be uncaught, potentially crashing the process. The fix wraps the entire block in a try-catch and destroys the stream on error, ensuring proper error propagation and preventing unhandled exceptions.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-parcel/package.json 2025-12-04 09:13:53.596176372 +0000+++ cache/react_v19.2.1/packages/react-server-dom-parcel/package.json 2025-12-04 09:13:56.144340061 +0000@@ -1,7 +1,7 @@ { "name": "react-server-dom-parcel", "description": "React Server Components bindings for DOM using Parcel. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.",- "version": "19.2.0",+ "version": "19.2.1", "keywords": [ "react" ],@@ -79,7 +79,7 @@ "node": ">=0.10.0" }, "peerDependencies": {- "react": "^19.2.0",- "react-dom": "^19.2.0"+ "react": "^19.2.1",+ "react-dom": "^19.2.1" } }
Vulnerability Existed: no CWE Name - CWE ID - File packages/react-server-dom-parcel/package.json Lines 1-1, 79-80 Old Code: "version": "19.2.0", "react": "^19.2.0", "react-dom": "^19.2.0" Fixed Code: "version": "19.2.1", "react": "^19.2.1", "react-dom": "^19.2.1" Explanation: The diff only updates the version numbers in the package.json file. There are no changes to the source code, dependencies (besides version bumps), or any security-related fixes indicated. Version updates alone do not necessarily imply a security vulnerability existed; they could be for bug fixes, performance improvements, or other non-security updates. Without additional context or changes to the actual code, this appears to be a routine version bump.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-parcel/src/client/ReactFlightClientConfigBundlerParcel.js 2025-12-04 09:13:53.596176372 +0000+++ cache/react_v19.2.1/packages/react-server-dom-parcel/src/client/ReactFlightClientConfigBundlerParcel.js 2025-12-04 09:13:56.144340061 +0000@@ -19,6 +19,8 @@ } from '../shared/ReactFlightImportMetadata'; import {prepareDestinationWithChunks} from 'react-client/src/ReactFlightClientConfig'; +import hasOwnProperty from 'shared/hasOwnProperty';+ export type ServerManifest = { [string]: Array<string>, };@@ -78,7 +80,10 @@ export function requireModule<T>(metadata: ClientReference<T>): T { const moduleExports = parcelRequire(metadata[ID]);- return moduleExports[metadata[NAME]];+ if (hasOwnProperty.call(moduleExports, metadata[NAME])) {+ return moduleExports[metadata[NAME]];+ }+ return (undefined: any); } export function getModuleDebugInfo<T>(
Vulnerability Existed: yes
TRUE POSITIVE
CWE-754: Improper Check for Unusual or Exceptional Conditions - CWE 754 - packages/react-server-dom-parcel/src/client/ReactFlightClientConfigBundlerParcel.js [78-84]
Old Code:
```javascript
export function requireModule<T>(metadata: ClientReference<T>): T {
const moduleExports = parcelRequire(metadata[ID]);
return moduleExports[metadata[NAME]];
}
```
Fixed Code:
```javascript
export function requireModule<T>(metadata: ClientReference<T>): T {
const moduleExports = parcelRequire(metadata[ID]);
if (hasOwnProperty.call(moduleExports, metadata[NAME])) {
return moduleExports[metadata[NAME]];
}
return (undefined: any);
}
```
Explanation:
The old code directly accessed `moduleExports[metadata[NAME]]` without verifying if the property exists on the module exports object. This could lead to unexpected behavior or runtime errors if the property is missing, potentially causing the application to crash or behave unpredictably. The fix adds a proper check using `hasOwnProperty` to ensure the property exists before accessing it, returning `undefined` as a safe fallback instead. This prevents prototype chain pollution and ensures graceful handling of missing exports.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-parcel/src/server/ReactFlightDOMServerNode.js 2025-12-04 09:13:53.596176372 +0000+++ cache/react_v19.2.1/packages/react-server-dom-parcel/src/server/ReactFlightDOMServerNode.js 2025-12-04 09:13:56.144340061 +0000@@ -578,16 +578,23 @@ // we queue any fields we receive until the previous file is done. queuedFields.push(name, value); } else {- resolveField(response, name, value);+ try {+ resolveField(response, name, value);+ } catch (error) {+ busboyStream.destroy(error);+ } } }); busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => { if (encoding.toLowerCase() === 'base64') {- throw new Error(- "React doesn't accept base64 encoded file uploads because we don't expect " +- "form data passed from a browser to ever encode data that way. If that's " +- 'the wrong assumption, we can easily fix it.',+ busboyStream.destroy(+ new Error(+ "React doesn't accept base64 encoded file uploads because we don't expect " ++ "form data passed from a browser to ever encode data that way. If that's " ++ 'the wrong assumption, we can easily fix it.',+ ), );+ return; } pendingFiles++; const file = resolveFileInfo(response, name, filename, mimeType);@@ -595,14 +602,18 @@ resolveFileChunk(response, file, chunk); }); value.on('end', () => {- resolveFileComplete(response, name, file);- pendingFiles--;- if (pendingFiles === 0) {- // Release any queued fields- for (let i = 0; i < queuedFields.length; i += 2) {- resolveField(response, queuedFields[i], queuedFields[i + 1]);+ try {+ resolveFileComplete(response, name, file);+ pendingFiles--;+ if (pendingFiles === 0) {+ // Release any queued fields+ for (let i = 0; i < queuedFields.length; i += 2) {+ resolveField(response, queuedFields[i], queuedFields[i + 1]);+ }+ queuedFields.length = 0; }- queuedFields.length = 0;+ } catch (error) {+ busboyStream.destroy(error); } }); });
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248: Uncaught Exception - CWE ID 248 - packages/react-server-dom-parcel/src/server/ReactFlightDOMServerNode.js [578-595]
Old Code:
```javascript
busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => {
if (encoding.toLowerCase() === 'base64') {
throw new Error(
"React doesn't accept base64 encoded file uploads because we don't expect " +
"form data passed from a browser to ever encode data that way. If that's " +
'the wrong assumption, we can easily fix it.',
);
}
```
Fixed Code:
```javascript
busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => {
if (encoding.toLowerCase() === 'base64') {
busboyStream.destroy(
new Error(
"React doesn't accept base64 encoded file uploads because we don't expect " +
"form data passed from a browser to ever encode data that way. If that's " +
'the wrong assumption, we can easily fix it.',
),
);
return;
}
```
Explanation:
The old code threw an uncaught exception synchronously inside an event handler, which could crash the Node.js process if not handled elsewhere. The fix uses `busboyStream.destroy(error)` to properly propagate the error and stops further execution with `return`, preventing the unhandled exception.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248: Uncaught Exception - CWE ID 248 - packages/react-server-dom-parcel/src/server/ReactFlightDOMServerNode.js [578-595]
Old Code:
```javascript
busboyStream.on('field', (name, value) => {
if (pendingFiles > 0) {
// we queue any fields we receive until the previous file is done.
queuedFields.push(name, value);
} else {
resolveField(response, name, value);
}
});
```
Fixed Code:
```javascript
busboyStream.on('field', (name, value) => {
if (pendingFiles > 0) {
// we queue any fields we receive until the previous file is done.
queuedFields.push(name, value);
} else {
try {
resolveField(response, name, value);
} catch (error) {
busboyStream.destroy(error);
}
}
});
```
Explanation:
The old code called `resolveField` without error handling, potentially allowing uncaught exceptions to crash the process. The fix wraps it in a try-catch and uses `busboyStream.destroy(error)` to handle errors gracefully.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248: Uncaught Exception - CWE ID 248 - packages/react-server-dom-parcel/src/server/ReactFlightDOMServerNode.js [595-610]
Old Code:
```javascript
value.on('end', () => {
resolveFileComplete(response, name, file);
pendingFiles--;
if (pendingFiles === 0) {
// Release any queued fields
for (let i = 0; i < queuedFields.length; i += 2) {
resolveField(response, queuedFields[i], queuedFields[i + 1]);
}
queuedFields.length = 0;
}
});
```
Fixed Code:
```javascript
value.on('end', () => {
try {
resolveFileComplete(response, name, file);
pendingFiles--;
if (pendingFiles === 0) {
// Release any queued fields
for (let i = 0; i < queuedFields.length; i += 2) {
resolveField(response, queuedFields[i], queuedFields[i + 1]);
}
queuedFields.length = 0;
}
} catch (error) {
busboyStream.destroy(error);
}
});
```
Explanation:
The old code executed `resolveFileComplete` and looped over `queuedFields` without error handling, risking uncaught exceptions. The fix wraps the logic in a try-catch and uses `busboyStream.destroy(error)` to manage errors, preventing process crashes.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-turbopack/package.json 2025-12-04 09:13:53.600176629 +0000+++ cache/react_v19.2.1/packages/react-server-dom-turbopack/package.json 2025-12-04 09:13:56.148340318 +0000@@ -1,7 +1,7 @@ { "name": "react-server-dom-turbopack", "description": "React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.",- "version": "19.2.0",+ "version": "19.2.1", "keywords": [ "react" ],@@ -79,8 +79,8 @@ "node": ">=0.10.0" }, "peerDependencies": {- "react": "^19.2.0",- "react-dom": "^19.2.0"+ "react": "^19.2.1",+ "react-dom": "^19.2.1" }, "dependencies": { "acorn-loose": "^8.3.0",
Vulnerability Existed: no CWE Name - CWE ID - File packages/react-server-dom-turbopack/package.json Lines 1-1, 79-80 Old Code "version": "19.2.0", "react": "^19.2.0", "react-dom": "^19.2.0" Fixed Code "version": "19.2.1", "react": "^19.2.1", "react-dom": "^19.2.1" Explanation: This diff only updates the version numbers in the package.json file. There are no changes to the actual code logic, dependencies (aside from version bumps), or configuration that would indicate a security vulnerability fix. Version updates alone do not necessarily imply a security fix; they could be for bug fixes, performance improvements, or other non-security changes. Without additional context from the React release notes or commit messages, it is not possible to determine if this version bump addresses a security vulnerability. Therefore, based solely on the diff content, no vulnerability is evident.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-turbopack/src/client/ReactFlightClientConfigBundlerTurbopack.js 2025-12-04 09:13:53.600176629 +0000+++ cache/react_v19.2.1/packages/react-server-dom-turbopack/src/client/ReactFlightClientConfigBundlerTurbopack.js 2025-12-04 09:13:56.148340318 +0000@@ -34,6 +34,8 @@ addChunkDebugInfo, } from 'react-client/src/ReactFlightClientConfig'; +import hasOwnProperty from 'shared/hasOwnProperty';+ export type ServerConsumerModuleMap = null | { [clientId: string]: { [clientExportName: string]: ClientReferenceManifestEntry,@@ -245,7 +247,10 @@ // default property of this if it was an ESM interop module. return moduleExports.__esModule ? moduleExports.default : moduleExports; }- return moduleExports[metadata[NAME]];+ if (hasOwnProperty.call(moduleExports, metadata[NAME])) {+ return moduleExports[metadata[NAME]];+ }+ return (undefined: any); } export function getModuleDebugInfo<T>(
Vulnerability Existed: yes
TRUE POSITIVE
CWE-789: Uncontrolled Memory Allocation - CWE-789 - packages/react-server-dom-turbopack/src/client/ReactFlightClientConfigBundlerTurbopack.js [245-250]
Old Code:
```javascript
return moduleExports[metadata[NAME]];
```
Fixed Code:
```javascript
if (hasOwnProperty.call(moduleExports, metadata[NAME])) {
return moduleExports[metadata[NAME]];
}
return (undefined: any);
```
Explanation:
The old code directly accessed a property on `moduleExports` using `metadata[NAME]` without checking if the property exists. This could lead to prototype pollution if `metadata[NAME]` is a malicious property like `__proto__`, `constructor`, or `prototype`. The fix uses `hasOwnProperty` to ensure only the object's own properties are accessed, preventing unintended modifications to the object prototype chain. This addresses a potential security vulnerability where an attacker could inject properties that affect all objects in the application.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-turbopack/src/server/ReactFlightDOMServerNode.js 2025-12-04 09:13:53.600176629 +0000+++ cache/react_v19.2.1/packages/react-server-dom-turbopack/src/server/ReactFlightDOMServerNode.js 2025-12-04 09:13:56.148340318 +0000@@ -570,16 +570,23 @@ // we queue any fields we receive until the previous file is done. queuedFields.push(name, value); } else {- resolveField(response, name, value);+ try {+ resolveField(response, name, value);+ } catch (error) {+ busboyStream.destroy(error);+ } } }); busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => { if (encoding.toLowerCase() === 'base64') {- throw new Error(- "React doesn't accept base64 encoded file uploads because we don't expect " +- "form data passed from a browser to ever encode data that way. If that's " +- 'the wrong assumption, we can easily fix it.',+ busboyStream.destroy(+ new Error(+ "React doesn't accept base64 encoded file uploads because we don't expect " ++ "form data passed from a browser to ever encode data that way. If that's " ++ 'the wrong assumption, we can easily fix it.',+ ), );+ return; } pendingFiles++; const file = resolveFileInfo(response, name, filename, mimeType);@@ -587,14 +594,18 @@ resolveFileChunk(response, file, chunk); }); value.on('end', () => {- resolveFileComplete(response, name, file);- pendingFiles--;- if (pendingFiles === 0) {- // Release any queued fields- for (let i = 0; i < queuedFields.length; i += 2) {- resolveField(response, queuedFields[i], queuedFields[i + 1]);+ try {+ resolveFileComplete(response, name, file);+ pendingFiles--;+ if (pendingFiles === 0) {+ // Release any queued fields+ for (let i = 0; i < queuedFields.length; i += 2) {+ resolveField(response, queuedFields[i], queuedFields[i + 1]);+ }+ queuedFields.length = 0; }- queuedFields.length = 0;+ } catch (error) {+ busboyStream.destroy(error); } }); });
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248 - Uncaught Exception - packages/react-server-dom-turbopack/src/server/ReactFlightDOMServerNode.js [570-574]
Old Code:
```javascript
} else {
resolveField(response, name, value);
}
```
Fixed Code:
```javascript
} else {
try {
resolveField(response, name, value);
} catch (error) {
busboyStream.destroy(error);
}
}
```
Explanation:
The old code allowed uncaught exceptions from `resolveField` to propagate, potentially crashing the server or leaving the stream in an inconsistent state. The fix wraps the call in a try-catch and destroys the stream with the error, ensuring proper error handling and preventing unhandled exceptions.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248 - Uncaught Exception - packages/react-server-dom-turbopack/src/server/ReactFlightDOMServerNode.js [578-584]
Old Code:
```javascript
if (encoding.toLowerCase() === 'base64') {
throw new Error(
"React doesn't accept base64 encoded file uploads because we don't expect " +
"form data passed from a browser to ever encode data that way. If that's " +
'the wrong assumption, we can easily fix it.',
);
}
```
Fixed Code:
```javascript
if (encoding.toLowerCase() === 'base64') {
busboyStream.destroy(
new Error(
"React doesn't accept base64 encoded file uploads because we don't expect " +
"form data passed from a browser to ever encode data that way. If that's " +
'the wrong assumption, we can easily fix it.',
),
);
return;
}
```
Explanation:
The old code threw an exception directly in the event handler, which could lead to an uncaught exception and improper stream cleanup. The fix instead destroys the stream with the error and returns early, ensuring the error is handled within the stream context and preventing the server from crashing.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248 - Uncaught Exception - packages/react-server-dom-turbopack/src/server/ReactFlightDOMServerNode.js [594-608]
Old Code:
```javascript
value.on('end', () => {
resolveFileComplete(response, name, file);
pendingFiles--;
if (pendingFiles === 0) {
// Release any queued fields
for (let i = 0; i < queuedFields.length; i += 2) {
resolveField(response, queuedFields[i], queuedFields[i + 1]);
}
queuedFields.length = 0;
}
});
```
Fixed Code:
```javascript
value.on('end', () => {
try {
resolveFileComplete(response, name, file);
pendingFiles--;
if (pendingFiles === 0) {
// Release any queued fields
for (let i = 0; i < queuedFields.length; i += 2) {
resolveField(response, queuedFields[i], queuedFields[i + 1]);
}
queuedFields.length = 0;
}
} catch (error) {
busboyStream.destroy(error);
}
});
```
Explanation:
The old code could throw uncaught exceptions from `resolveFileComplete` or the loop calling `resolveField`, leading to server crashes or resource leaks. The fix wraps the entire callback in a try-catch and destroys the stream on error, ensuring proper error handling and stream termination.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-webpack/package.json 2025-12-04 09:13:53.604176886 +0000+++ cache/react_v19.2.1/packages/react-server-dom-webpack/package.json 2025-12-04 09:13:56.152340575 +0000@@ -1,7 +1,7 @@ { "name": "react-server-dom-webpack", "description": "React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.",- "version": "19.2.0",+ "version": "19.2.1", "keywords": [ "react" ],@@ -100,8 +100,8 @@ "node": ">=0.10.0" }, "peerDependencies": {- "react": "^19.2.0",- "react-dom": "^19.2.0",+ "react": "^19.2.1",+ "react-dom": "^19.2.1", "webpack": "^5.59.0" }, "dependencies": {
Vulnerability Existed: no No specific CWE - N/A - packages/react-server-dom-webpack/package.json [1, 100, 102] Old Code: ```json "version": "19.2.0", ... "react": "^19.2.0", "react-dom": "^19.2.0", ``` Fixed Code: ```json "version": "19.2.1", ... "react": "^19.2.1", "react-dom": "^19.2.1", ``` Explanation: The changes only update the version numbers of the package itself and its peer dependencies. There are no modifications to code logic, dependencies, or security-related configurations. This appears to be a routine version bump without any security fixes indicated in the diff.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-webpack/src/client/ReactFlightClientConfigBundlerNode.js 2025-12-04 09:13:53.604176886 +0000+++ cache/react_v19.2.1/packages/react-server-dom-webpack/src/client/ReactFlightClientConfigBundlerNode.js 2025-12-04 09:13:56.160341089 +0000@@ -24,6 +24,8 @@ } from '../shared/ReactFlightImportMetadata'; import {prepareDestinationWithChunks} from 'react-client/src/ReactFlightClientConfig'; +import hasOwnProperty from 'shared/hasOwnProperty';+ export type ServerConsumerModuleMap = { [clientId: string]: { [clientExportName: string]: ClientReference<any>,@@ -158,7 +160,10 @@ // default property of this if it was an ESM interop module. return moduleExports.default; }- return moduleExports[metadata.name];+ if (hasOwnProperty.call(moduleExports, metadata.name)) {+ return moduleExports[metadata.name];+ }+ return (undefined: any); } export function getModuleDebugInfo<T>(metadata: ClientReference<T>): null {
Vulnerability Existed: yes
TRUE POSITIVE
CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action - CWE-350 - packages/react-server-dom-webpack/src/client/ReactFlightClientConfigBundlerNode.js [Lines 158-164]
Old Code:
```javascript
return moduleExports[metadata.name];
```
Fixed Code:
```javascript
if (hasOwnProperty.call(moduleExports, metadata.name)) {
return moduleExports[metadata.name];
}
return (undefined: any);
```
Explanation:
The old code directly accessed `moduleExports[metadata.name]` without checking if the property exists on the object itself. This could lead to prototype pollution vulnerabilities where an attacker could inject properties into `Object.prototype` or the prototype chain, causing unintended behavior or security issues. The fix uses `hasOwnProperty` to ensure the property belongs directly to `moduleExports`, preventing access to inherited properties and mitigating prototype pollution risks.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-webpack/src/client/ReactFlightClientConfigBundlerWebpack.js 2025-12-04 09:13:53.604176886 +0000+++ cache/react_v19.2.1/packages/react-server-dom-webpack/src/client/ReactFlightClientConfigBundlerWebpack.js 2025-12-04 09:13:56.160341089 +0000@@ -34,6 +34,8 @@ addChunkDebugInfo, } from 'react-client/src/ReactFlightClientConfig'; +import hasOwnProperty from 'shared/hasOwnProperty';+ export type ServerConsumerModuleMap = null | { [clientId: string]: { [clientExportName: string]: ClientReferenceManifestEntry,@@ -253,7 +255,10 @@ // default property of this if it was an ESM interop module. return moduleExports.__esModule ? moduleExports.default : moduleExports; }- return moduleExports[metadata[NAME]];+ if (hasOwnProperty.call(moduleExports, metadata[NAME])) {+ return moduleExports[metadata[NAME]];+ }+ return (undefined: any); } export function getModuleDebugInfo<T>(
Vulnerability Existed: yes
TRUE POSITIVE
CWE-20: Improper Input Validation - CWE-20 - packages/react-server-dom-webpack/src/client/ReactFlightClientConfigBundlerWebpack.js [Lines 258-260]
Old Code:
```javascript
return moduleExports[metadata[NAME]];
```
Fixed Code:
```javascript
if (hasOwnProperty.call(moduleExports, metadata[NAME])) {
return moduleExports[metadata[NAME]];
}
return (undefined: any);
```
Explanation:
The old code directly accessed a property on `moduleExports` using `metadata[NAME]` as the key without checking if the property exists. This could lead to prototype pollution if `metadata[NAME]` is a maliciously crafted string like `__proto__`, `constructor`, or `prototype`. The fix uses `hasOwnProperty` to ensure the property belongs directly to the object, preventing unintended access to inherited properties and mitigating prototype pollution attacks.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server-dom-webpack/src/server/ReactFlightDOMServerNode.js 2025-12-04 09:13:53.604176886 +0000+++ cache/react_v19.2.1/packages/react-server-dom-webpack/src/server/ReactFlightDOMServerNode.js 2025-12-04 09:13:56.160341089 +0000@@ -570,16 +570,23 @@ // we queue any fields we receive until the previous file is done. queuedFields.push(name, value); } else {- resolveField(response, name, value);+ try {+ resolveField(response, name, value);+ } catch (error) {+ busboyStream.destroy(error);+ } } }); busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => { if (encoding.toLowerCase() === 'base64') {- throw new Error(- "React doesn't accept base64 encoded file uploads because we don't expect " +- "form data passed from a browser to ever encode data that way. If that's " +- 'the wrong assumption, we can easily fix it.',+ busboyStream.destroy(+ new Error(+ "React doesn't accept base64 encoded file uploads because we don't expect " ++ "form data passed from a browser to ever encode data that way. If that's " ++ 'the wrong assumption, we can easily fix it.',+ ), );+ return; } pendingFiles++; const file = resolveFileInfo(response, name, filename, mimeType);@@ -587,14 +594,18 @@ resolveFileChunk(response, file, chunk); }); value.on('end', () => {- resolveFileComplete(response, name, file);- pendingFiles--;- if (pendingFiles === 0) {- // Release any queued fields- for (let i = 0; i < queuedFields.length; i += 2) {- resolveField(response, queuedFields[i], queuedFields[i + 1]);+ try {+ resolveFileComplete(response, name, file);+ pendingFiles--;+ if (pendingFiles === 0) {+ // Release any queued fields+ for (let i = 0; i < queuedFields.length; i += 2) {+ resolveField(response, queuedFields[i], queuedFields[i + 1]);+ }+ queuedFields.length = 0; }- queuedFields.length = 0;+ } catch (error) {+ busboyStream.destroy(error); } }); });
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248: Uncaught Exception - CWE ID 248 - File: packages/react-server-dom-webpack/src/server/ReactFlightDOMServerNode.js Lines 570-594
Old Code:
```javascript
busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => {
if (encoding.toLowerCase() === 'base64') {
throw new Error(
"React doesn't accept base64 encoded file uploads because we don't expect " +
"form data passed from a browser to ever encode data that way. If that's " +
'the wrong assumption, we can easily fix it.',
);
}
```
Fixed Code:
```javascript
busboyStream.on('file', (name, value, {filename, encoding, mimeType}) => {
if (encoding.toLowerCase() === 'base64') {
busboyStream.destroy(
new Error(
"React doesn't accept base64 encoded file uploads because we don't expect " +
"form data passed from a browser to ever encode data that way. If that's " +
'the wrong assumption, we can easily fix it.',
),
);
return;
}
```
Explanation:
The old code threw an uncaught exception directly inside the 'file' event handler, which could crash the Node.js process if not handled properly. The fix uses `busboyStream.destroy(error)` to properly propagate the error and stop processing, then returns early to avoid further execution. This prevents unhandled exceptions that could lead to denial of service.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248: Uncaught Exception - CWE ID 248 - File: packages/react-server-dom-webpack/src/server/ReactFlightDOMServerNode.js Lines 570-594
Old Code:
```javascript
busboyStream.on('field', (name, value) => {
if (pendingFiles > 0) {
// we queue any fields we receive until the previous file is done.
queuedFields.push(name, value);
} else {
resolveField(response, name, value);
}
});
```
Fixed Code:
```javascript
busboyStream.on('field', (name, value) => {
if (pendingFiles > 0) {
// we queue any fields we receive until the previous file is done.
queuedFields.push(name, value);
} else {
try {
resolveField(response, name, value);
} catch (error) {
busboyStream.destroy(error);
}
}
});
```
Explanation:
The old code called `resolveField` without error handling. If `resolveField` threw an exception, it would be uncaught and could crash the server. The fix wraps it in a try-catch block and uses `busboyStream.destroy(error)` to properly handle the error, preventing unhandled exceptions and potential denial of service.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-248: Uncaught Exception - CWE ID 248 - File: packages/react-server-dom-webpack/src/server/ReactFlightDOMServerNode.js Lines 570-594
Old Code:
```javascript
value.on('end', () => {
resolveFileComplete(response, name, file);
pendingFiles--;
if (pendingFiles === 0) {
// Release any queued fields
for (let i = 0; i < queuedFields.length; i += 2) {
resolveField(response, queuedFields[i], queuedFields[i + 1]);
}
queuedFields.length = 0;
}
});
```
Fixed Code:
```javascript
value.on('end', () => {
try {
resolveFileComplete(response, name, file);
pendingFiles--;
if (pendingFiles === 0) {
// Release any queued fields
for (let i = 0; i < queuedFields.length; i += 2) {
resolveField(response, queuedFields[i], queuedFields[i + 1]);
}
queuedFields.length = 0;
}
} catch (error) {
busboyStream.destroy(error);
}
});
```
Explanation:
The old code had no error handling for `resolveFileComplete` or the loop calling `resolveField`. If any of these threw exceptions, they would be uncaught and could crash the server. The fix wraps the entire block in try-catch and uses `busboyStream.destroy(error)` to properly handle errors, preventing unhandled exceptions and potential denial of service.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-server/src/ReactFlightReplyServer.js 2025-12-04 09:13:53.608177143 +0000+++ cache/react_v19.2.1/packages/react-server/src/ReactFlightReplyServer.js 2025-12-04 09:13:56.168341603 +0000@@ -50,44 +50,35 @@ const PENDING = 'pending'; const BLOCKED = 'blocked';-const CYCLIC = 'cyclic'; const RESOLVED_MODEL = 'resolved_model'; const INITIALIZED = 'fulfilled'; const ERRORED = 'rejected'; +type RESPONSE_SYMBOL_TYPE = 'RESPONSE_SYMBOL'; // Fake symbol type.+const RESPONSE_SYMBOL: RESPONSE_SYMBOL_TYPE = (Symbol(): any);+ type PendingChunk<T> = { status: 'pending',- value: null | Array<(T) => mixed>,- reason: null | Array<(mixed) => mixed>,- _response: Response,+ value: null | Array<InitializationReference | (T => mixed)>,+ reason: null | Array<InitializationReference | (mixed => mixed)>, then(resolve: (T) => mixed, reject?: (mixed) => mixed): void, }; type BlockedChunk<T> = { status: 'blocked',- value: null | Array<(T) => mixed>,- reason: null | Array<(mixed) => mixed>,- _response: Response,- then(resolve: (T) => mixed, reject?: (mixed) => mixed): void,-};-type CyclicChunk<T> = {- status: 'cyclic',- value: null | Array<(T) => mixed>,- reason: null | Array<(mixed) => mixed>,- _response: Response,+ value: null | Array<InitializationReference | (T => mixed)>,+ reason: null | Array<InitializationReference | (mixed => mixed)>, then(resolve: (T) => mixed, reject?: (mixed) => mixed): void, }; type ResolvedModelChunk<T> = { status: 'resolved_model', value: string,- reason: number,- _response: Response,+ reason: {id: number, [RESPONSE_SYMBOL_TYPE]: Response}, then(resolve: (T) => mixed, reject?: (mixed) => mixed): void, }; type InitializedChunk<T> = { status: 'fulfilled', value: T, reason: null,- _response: Response, then(resolve: (T) => mixed, reject?: (mixed) => mixed): void, }; type InitializedStreamChunk<@@ -96,38 +87,34 @@ status: 'fulfilled', value: T, reason: FlightStreamController,- _response: Response, then(resolve: (ReadableStream) => mixed, reject?: (mixed) => mixed): void, }; type ErroredChunk<T> = { status: 'rejected', value: null, reason: mixed,- _response: Response, then(resolve: (T) => mixed, reject?: (mixed) => mixed): void, }; type SomeChunk<T> = | PendingChunk<T> | BlockedChunk<T>- | CyclicChunk<T> | ResolvedModelChunk<T> | InitializedChunk<T> | ErroredChunk<T>; // $FlowFixMe[missing-this-annot]-function Chunk(status: any, value: any, reason: any, response: Response) {+function ReactPromise(status: any, value: any, reason: any) { this.status = status; this.value = value; this.reason = reason;- this._response = response; } // We subclass Promise.prototype so that we get other methods like .catch-Chunk.prototype = (Object.create(Promise.prototype): any);+ReactPromise.prototype = (Object.create(Promise.prototype): any); // TODO: This doesn't return a new Promise chain unlike the real .then-Chunk.prototype.then = function <T>(+ReactPromise.prototype.then = function <T>( this: SomeChunk<T>, resolve: (value: T) => mixed,- reject: (reason: mixed) => mixed,+ reject: ?(reason: mixed) => mixed, ) { const chunk: SomeChunk<T> = this; // If we have resolved content, we try to initialize it first which@@ -140,26 +127,31 @@ // The status might have changed after initialization. switch (chunk.status) { case INITIALIZED:- resolve(chunk.value);+ if (typeof resolve === 'function') {+ resolve(chunk.value);+ } break; case PENDING: case BLOCKED:- case CYCLIC:- if (resolve) {+ if (typeof resolve === 'function') { if (chunk.value === null) {- chunk.value = ([]: Array<(T) => mixed>);+ chunk.value = ([]: Array<InitializationReference | (T => mixed)>); } chunk.value.push(resolve); }- if (reject) {+ if (typeof reject === 'function') { if (chunk.reason === null) {- chunk.reason = ([]: Array<(mixed) => mixed>);+ chunk.reason = ([]: Array<+ InitializationReference | (mixed => mixed),+ >); } chunk.reason.push(reject); } break; default:- reject(chunk.reason);+ if (typeof reject === 'function') {+ reject(chunk.reason);+ } break; } };@@ -181,28 +173,114 @@ function createPendingChunk<T>(response: Response): PendingChunk<T> { // $FlowFixMe[invalid-constructor] Flow doesn't support functions as constructors- return new Chunk(PENDING, null, null, response);+ return new ReactPromise(PENDING, null, null); } -function wakeChunk<T>(listeners: Array<(T) => mixed>, value: T): void {+function wakeChunk<T>(+ response: Response,+ listeners: Array<InitializationReference | (T => mixed)>,+ value: T,+): void { for (let i = 0; i < listeners.length; i++) { const listener = listeners[i];- listener(value);+ if (typeof listener === 'function') {+ listener(value);+ } else {+ fulfillReference(response, listener, value);+ } } } +function rejectChunk(+ response: Response,+ listeners: Array<InitializationReference | (mixed => mixed)>,+ error: mixed,+): void {+ for (let i = 0; i < listeners.length; i++) {+ const listener = listeners[i];+ if (typeof listener === 'function') {+ listener(error);+ } else {+ rejectReference(response, listener.handler, error);+ }+ }+}++function resolveBlockedCycle<T>(+ resolvedChunk: SomeChunk<T>,+ reference: InitializationReference,+): null | InitializationHandler {+ const referencedChunk = reference.handler.chunk;+ if (referencedChunk === null) {+ return null;+ }+ if (referencedChunk === resolvedChunk) {+ // We found the cycle. We can resolve the blocked cycle now.+ return reference.handler;+ }+ const resolveListeners = referencedChunk.value;+ if (resolveListeners !== null) {+ for (let i = 0; i < resolveListeners.length; i++) {+ const listener = resolveListeners[i];+ if (typeof listener !== 'function') {+ const foundHandler = resolveBlockedCycle(resolvedChunk, listener);+ if (foundHandler !== null) {+ return foundHandler;+ }+ }+ }+ }+ return null;+}+ function wakeChunkIfInitialized<T>(+ response: Response, chunk: SomeChunk<T>,- resolveListeners: Array<(T) => mixed>,- rejectListeners: null | Array<(mixed) => mixed>,+ resolveListeners: Array<InitializationReference | (T => mixed)>,+ rejectListeners: null | Array<InitializationReference | (mixed => mixed)>, ): void { switch (chunk.status) { case INITIALIZED:- wakeChunk(resolveListeners, chunk.value);+ wakeChunk(response, resolveListeners, chunk.value); break;- case PENDING: case BLOCKED:- case CYCLIC:+ // It is possible that we're blocked on our own chunk if it's a cycle.+ // Before adding back the listeners to the chunk, let's check if it would+ // result in a cycle.+ for (let i = 0; i < resolveListeners.length; i++) {+ const listener = resolveListeners[i];+ if (typeof listener !== 'function') {+ const reference: InitializationReference = listener;+ const cyclicHandler = resolveBlockedCycle(chunk, reference);+ if (cyclicHandler !== null) {+ // This reference points back to this chunk. We can resolve the cycle by+ // using the value from that handler.+ fulfillReference(response, reference, cyclicHandler.value);+ resolveListeners.splice(i, 1);+ i--;+ if (rejectListeners !== null) {+ const rejectionIdx = rejectListeners.indexOf(reference);+ if (rejectionIdx !== -1) {+ rejectListeners.splice(rejectionIdx, 1);+ }+ }+ // The status might have changed after fulfilling the reference.+ switch ((chunk: SomeChunk<T>).status) {+ case INITIALIZED:+ const initializedChunk: InitializedChunk<T> = (chunk: any);+ wakeChunk(response, resolveListeners, initializedChunk.value);+ return;+ case ERRORED:+ if (rejectListeners !== null) {+ rejectChunk(response, rejectListeners, chunk.reason);+ }+ return;+ }+ }+ }+ }+ // Fallthrough+ case PENDING: if (chunk.value) { for (let i = 0; i < resolveListeners.length; i++) { chunk.value.push(resolveListeners[i]);@@ -223,13 +301,17 @@ break; case ERRORED: if (rejectListeners) {- wakeChunk(rejectListeners, chunk.reason);+ wakeChunk(response, rejectListeners, chunk.reason); } break; } } -function triggerErrorOnChunk<T>(chunk: SomeChunk<T>, error: mixed): void {+function triggerErrorOnChunk<T>(+ response: Response,+ chunk: SomeChunk<T>,+ error: mixed,+): void { if (chunk.status !== PENDING && chunk.status !== BLOCKED) { // If we get more data to an already resolved ID, we assume that it's // a stream chunk since any other row shouldn't have more than one entry.@@ -244,7 +326,7 @@ erroredChunk.status = ERRORED; erroredChunk.reason = error; if (listeners !== null) {- wakeChunk(listeners, error);+ rejectChunk(response, listeners, error); } } @@ -254,7 +336,7 @@ id: number, ): ResolvedModelChunk<T> { // $FlowFixMe[invalid-constructor] Flow doesn't support functions as constructors- return new Chunk(RESOLVED_MODEL, value, id, response);+ return new ReactPromise(RESOLVED_MODEL, value, {id, [RESPONSE_SYMBOL]: response}); } function createErroredChunk<T>(@@ -262,10 +344,11 @@ reason: mixed, ): ErroredChunk<T> { // $FlowFixMe[invalid-constructor] Flow doesn't support functions as constructors- return new Chunk(ERRORED, null, reason, response);+ return new ReactPromise(ERRORED, null, reason); } function resolveModelChunk<T>(+ response: Response, chunk: SomeChunk<T>, value: string, id: number,@@ -287,14 +370,14 @@ const resolvedChunk: ResolvedModelChunk<T> = (chunk: any); resolvedChunk.status = RESOLVED_MODEL; resolvedChunk.value = value;- resolvedChunk.reason = id;+ resolvedChunk.reason = {id, [RESPONSE_SYMBOL]: response}; if (resolveListeners !== null) { // This is unfortunate that we're reading this eagerly if // we already have listeners attached since they might no // longer be rendered or might not be the highest pri. initializeModelChunk(resolvedChunk); // The status might have changed after initialization.- wakeChunkIfInitialized(chunk, resolveListeners, rejectListeners);+ wakeChunkIfInitialized(response, chunk, resolveListeners, rejectListeners); } } @@ -308,7 +391,7 @@ // We use the reason field to stash the controller since we already have that // field. It's a bit of a hack but efficient. // $FlowFixMe[invalid-constructor] Flow doesn't support functions as constructors- return new Chunk(INITIALIZED, value, controller, response);+ return new ReactPromise(INITIALIZED, value, controller); } function createResolvedIteratorResultChunk<T>(@@ -320,10 +403,14 @@ const iteratorResultJSON = (done ? '{"done":true,"value":' : '{"done":false,"value":') + value + '}'; // $FlowFixMe[invalid-constructor] Flow doesn't support functions as constructors- return new Chunk(RESOLVED_MODEL, iteratorResultJSON, -1, response);+ return new ReactPromise(RESOLVED_MODEL, iteratorResultJSON, {+ id: -1,+ [RESPONSE_SYMBOL]: response,+ }); } function resolveIteratorResultChunk<T>(+ response: Response, chunk: SomeChunk<IteratorResult<T, T>>, value: string, done: boolean,@@ -331,55 +418,112 @@ // To reuse code as much code as possible we add the wrapper element as part of the JSON. const iteratorResultJSON = (done ? '{"done":true,"value":' : '{"done":false,"value":') + value + '}';- resolveModelChunk(chunk, iteratorResultJSON, -1);-}--function bindArgs(fn: any, args: any) {- return fn.bind.apply(fn, [null].concat(args));+ resolveModelChunk(response, chunk, iteratorResultJSON, -1); } -function loadServerReference<T>(+function loadServerReference<A: Iterable<any>, T>( response: Response,- id: ServerReferenceId,- bound: null | Thenable<Array<any>>,- parentChunk: SomeChunk<T>,+ metaData: {+ id: any,+ bound: null | Thenable<Array<any>>,+ }, parentObject: Object, key: string,-): T {+): (...A) => Promise<T> {+ const id: ServerReferenceId = metaData.id;+ if (typeof id !== 'string') {+ return (null: any);+ } const serverReference: ServerReference<T> = resolveServerReference<$FlowFixMe>(response._bundlerConfig, id); // We expect most servers to not really need this because you'd just have all // the relevant modules already loaded but it allows for lazy loading of code // if needed.- const preloadPromise = preloadModule(serverReference);- let promise: Promise<T>;- if (bound) {- promise = Promise.all([(bound: any), preloadPromise]).then(- ([args]: Array<any>) => bindArgs(requireModule(serverReference), args),- );- } else {- if (preloadPromise) {- promise = Promise.resolve(preloadPromise).then(() =>- requireModule(serverReference),- );+ const bound = metaData.bound;+ let promise: null | Thenable<any> = preloadModule(serverReference);+ if (!promise) {+ if (bound instanceof ReactPromise) {+ promise = Promise.resolve(bound); } else {- // Synchronously available- return requireModule(serverReference);+ const resolvedValue = (requireModule(serverReference): any);+ return resolvedValue; }+ } else if (bound instanceof ReactPromise) {+ promise = Promise.all([promise, bound]); }- promise.then(- createModelResolver(- parentChunk,- parentObject,- key,- false,- response,- createModel,- [],- ),- createModelReject(parentChunk),- );- // We need a placeholder value that will be replaced later.++ let handler: InitializationHandler;+ if (initializingHandler) {+ handler = initializingHandler;+ handler.deps++;+ } else {+ handler = initializingHandler = {+ chunk: null,+ value: null,+ reason: null,+ deps: 1,+ errored: false,+ };+ }++ function fulfill(): void {+ let resolvedValue = (requireModule(serverReference): any);++ if (metaData.bound) {+ // This promise is coming from us and should have initilialized by now.+ const promiseValue = (metaData.bound: any).value;+ const boundArgs: Array<any> = Array.isArray(promiseValue)+ ? promiseValue.slice(0)+ : [];+ boundArgs.unshift(null); // this+ resolvedValue = resolvedValue.bind.apply(resolvedValue, boundArgs);+ }++ parentObject[key] = resolvedValue;++ // If this is the root object for a model reference, where `handler.value`+ // is a stale `null`, the resolved value can be used directly.+ if (key === '' && handler.value === null) {+ handler.value = resolvedValue;+ }++ handler.deps--;++ if (handler.deps === 0) {+ const chunk = handler.chunk;+ if (chunk === null || chunk.status !== BLOCKED) {+ return;+ }+ const resolveListeners = chunk.value;+ const initializedChunk: InitializedChunk<T> = (chunk: any);+ initializedChunk.status = INITIALIZED;+ initializedChunk.value = handler.value;+ if (resolveListeners !== null) {+ wakeChunk(response, resolveListeners, handler.value);+ }+ }+ }++ function reject(error: mixed): void {+ if (handler.errored) {+ // We've already errored. We could instead build up an AggregateError+ // but if there are multiple errors we just take the first one like+ // Promise.all.+ return;+ }+ handler.errored = true;+ handler.value = null;+ handler.reason = error;+ const chunk = handler.chunk;+ if (chunk === null || chunk.status !== BLOCKED) {+ return;+ }+ triggerErrorOnChunk(response, chunk, error);+ }++ promise.then(fulfill, reject);++ // Return a place holder value for now. return (null: any); } @@ -427,7 +571,7 @@ value[key], childRef, );- if (newValue !== undefined) {+ if (newValue !== undefined || key === '__proto__') { // $FlowFixMe[cannot-write] value[key] = newValue; } else {@@ -441,24 +585,42 @@ return value; } -let initializingChunk: ResolvedModelChunk<any> = (null: any);-let initializingChunkBlockedModel: null | {deps: number, value: any} = null;+type InitializationReference = {+ handler: InitializationHandler,+ parentObject: Object,+ key: string,+ map: (+ response: Response,+ model: any,+ parentObject: Object,+ key: string,+ ) => any,+ path: Array<string>,+};+type InitializationHandler = {+ chunk: null | BlockedChunk<any>,+ value: any,+ reason: any,+ deps: number,+ errored: boolean,+};+let initializingHandler: null | InitializationHandler = null;+ function initializeModelChunk<T>(chunk: ResolvedModelChunk<T>): void {- const prevChunk = initializingChunk;- const prevBlocked = initializingChunkBlockedModel;- initializingChunk = chunk;- initializingChunkBlockedModel = null;+ const prevHandler = initializingHandler;+ initializingHandler = null; - const rootReference =- chunk.reason === -1 ? undefined : chunk.reason.toString(16);+ const {[RESPONSE_SYMBOL]: response, id} = chunk.reason;++ const rootReference = id === -1 ? undefined : id.toString(16); const resolvedModel = chunk.value; - // We go to the CYCLIC state until we've fully resolved this.+ // We go to the BLOCKED state until we've fully resolved this. // We do this before parsing in case we try to initialize the same chunk // while parsing the model. Such as in a cyclic reference.- const cyclicChunk: CyclicChunk<T> = (chunk: any);- cyclicChunk.status = CYCLIC;+ const cyclicChunk: BlockedChunk<T> = (chunk: any);+ cyclicChunk.status = BLOCKED; cyclicChunk.value = null; cyclicChunk.reason = null; @@ -466,37 +628,50 @@ const rawModel = JSON.parse(resolvedModel); const value: T = reviveModel(- chunk._response,+ response, {'': rawModel}, '', rawModel, rootReference, );- if (- initializingChunkBlockedModel !== null &&- initializingChunkBlockedModel.deps > 0- ) {- initializingChunkBlockedModel.value = value;- // We discovered new dependencies on modules that are not yet resolved.- // We have to go the BLOCKED state until they're resolved.- const blockedChunk: BlockedChunk<T> = (chunk: any);- blockedChunk.status = BLOCKED;- } else {- const resolveListeners = cyclicChunk.value;- const initializedChunk: InitializedChunk<T> = (chunk: any);- initializedChunk.status = INITIALIZED;- initializedChunk.value = value;- if (resolveListeners !== null) {- wakeChunk(resolveListeners, value);++ // Invoke any listeners added while resolving this model. I.e. cyclic+ // references. This may or may not fully resolve the model depending on+ // if they were blocked.+ const resolveListeners = cyclicChunk.value;+ if (resolveListeners !== null) {+ cyclicChunk.value = null;+ cyclicChunk.reason = null;+ for (let i = 0; i < resolveListeners.length; i++) {+ const listener = resolveListeners[i];+ if (typeof listener === 'function') {+ listener(value);+ } else {+ fulfillReference(response, listener, value);+ } } }+ if (initializingHandler !== null) {+ if (initializingHandler.errored) {+ throw initializingHandler.reason;+ }+ if (initializingHandler.deps > 0) {+ // We discovered new dependencies on modules that are not yet resolved.+ // We have to keep the BLOCKED state until they're resolved.+ initializingHandler.value = value;+ initializingHandler.chunk = cyclicChunk;+ return;+ }+ }+ const initializedChunk: InitializedChunk<T> = (chunk: any);+ initializedChunk.status = INITIALIZED;+ initializedChunk.value = value; } catch (error) { const erroredChunk: ErroredChunk<T> = (chunk: any); erroredChunk.status = ERRORED; erroredChunk.reason = error; } finally {- initializingChunk = prevChunk;- initializingChunkBlockedModel = prevBlocked;+ initializingHandler = prevHandler; } } @@ -510,7 +685,7 @@ // trigger an error but if it wasn't then we need to // because we won't be getting any new data to resolve it. if (chunk.status === PENDING) {- triggerErrorOnChunk(chunk, error);+ triggerErrorOnChunk(response, chunk, error); } }); }@@ -523,9 +698,8 @@ const key = prefix + id; // Check if we have this field in the backing store already. const backingEntry = response._formData.get(key);- if (backingEntry != null) {- // We assume that this is a string entry for now.- chunk = createResolvedModelChunk(response, (backingEntry: any), id);+ if (typeof backingEntry === 'string') {+ chunk = createResolvedModelChunk(response, backingEntry, id); } else if (response._closed) { // We have already errored the response and we're not going to get // anything more streaming in so this will immediately error.@@ -539,57 +713,152 @@ return chunk; } -function createModelResolver<T>(- chunk: SomeChunk<T>,+function fulfillReference(+ response: Response,+ reference: InitializationReference,+ value: any,+): void {+ const {handler, parentObject, key, map, path} = reference;++ for (let i = 1; i < path.length; i++) {+ // The server doesn't have any lazy references but we unwrap Chunks here in the same way as the client.+ while (value instanceof ReactPromise) {+ const referencedChunk: SomeChunk<any> = value;+ switch (referencedChunk.status) {+ case RESOLVED_MODEL:+ initializeModelChunk(referencedChunk);+ break;+ }+ switch (referencedChunk.status) {+ case INITIALIZED: {+ value = referencedChunk.value;+ continue;+ }+ case BLOCKED:+ case PENDING: {+ // If we're not yet initialized we need to skip what we've already drilled+ // through and then wait for the next value to become available.+ path.splice(0, i - 1);+ // Add "listener" to our new chunk dependency.+ if (referencedChunk.value === null) {+ referencedChunk.value = [reference];+ } else {+ referencedChunk.value.push(reference);+ }+ if (referencedChunk.reason === null) {+ referencedChunk.reason = [reference];+ } else {+ referencedChunk.reason.push(reference);+ }+ return;+ }+ default: {+ rejectReference(response, reference.handler, referencedChunk.reason);+ return;+ }+ }+ }+ const name = path[i];+ if (typeof value === 'object' && hasOwnProperty.call(value, name)) {+ value = value[name];+ }+ }++ const mappedValue = map(response, value, parentObject, key);+ parentObject[key] = mappedValue;++ // If this is the root object for a model reference, where `handler.value`+ // is a stale `null`, the resolved value can be used directly.+ if (key === '' && handler.value === null) {+ handler.value = mappedValue;+ }++ // There are no Elements or Debug Info to transfer here.++ handler.deps--;++ if (handler.deps === 0) {+ const chunk = handler.chunk;+ if (chunk === null || chunk.status !== BLOCKED) {+ return;+ }+ const resolveListeners = chunk.value;+ const initializedChunk: InitializedChunk<any> = (chunk: any);+ initializedChunk.status = INITIALIZED;+ initializedChunk.value = handler.value;+ initializedChunk.reason = handler.reason; // Used by streaming chunks+ if (resolveListeners !== null) {+ wakeChunk(response, resolveListeners, handler.value);+ }+ }+}++function rejectReference(+ response: Response,+ handler: InitializationHandler,+ error: mixed,+): void {+ if (handler.errored) {+ // We've already errored. We could instead build up an AggregateError+ // but if there are multiple errors we just take the first one like+ // Promise.all.+ return;+ }+ handler.errored = true;+ handler.value = null;+ handler.reason = error;+ const chunk = handler.chunk;+ if (chunk === null || chunk.status !== BLOCKED) {+ return;+ }+ // There's no debug info to forward in this direction.+ triggerErrorOnChunk(response, chunk, error);+}++function waitForReference<T>(+ referencedChunk: PendingChunk<T> | BlockedChunk<T>, parentObject: Object, key: string,- cyclic: boolean, response: Response,- map: (response: Response, model: any) => T,+ map: (response: Response, model: any, parentObject: Object, key: string) => T, path: Array<string>,-): (value: any) => void {- let blocked;- if (initializingChunkBlockedModel) {- blocked = initializingChunkBlockedModel;- if (!cyclic) {- blocked.deps++;- }+): T {+ let handler: InitializationHandler;+ if (initializingHandler) {+ handler = initializingHandler;+ handler.deps++; } else {- blocked = initializingChunkBlockedModel = {- deps: (cyclic ? 0 : 1) as number,- value: (null: any),+ handler = initializingHandler = {+ chunk: null,+ value: null,+ reason: null,+ deps: 1,+ errored: false, }; }- return value => {- for (let i = 1; i < path.length; i++) {- value = value[path[i]];- }- parentObject[key] = map(response, value); - // If this is the root object for a model reference, where `blocked.value`- // is a stale `null`, the resolved value can be used directly.- if (key === '' && blocked.value === null) {- blocked.value = parentObject[key];- }-- blocked.deps--;- if (blocked.deps === 0) {- if (chunk.status !== BLOCKED) {- return;- }- const resolveListeners = chunk.value;- const initializedChunk: InitializedChunk<T> = (chunk: any);- initializedChunk.status = INITIALIZED;- initializedChunk.value = blocked.value;- if (resolveListeners !== null) {- wakeChunk(resolveListeners, blocked.value);- }- }+ const reference: InitializationReference = {+ handler,+ parentObject,+ key,+ map,+ path, };-} -function createModelReject<T>(chunk: SomeChunk<T>): (error: mixed) => void {- return (error: mixed) => triggerErrorOnChunk(chunk, error);+ // Add "listener".+ if (referencedChunk.value === null) {+ referencedChunk.value = [reference];+ } else {+ referencedChunk.value.push(reference);+ }+ if (referencedChunk.reason === null) {+ referencedChunk.reason = [reference];+ } else {+ referencedChunk.reason.push(reference);+ }++ // Return a place holder value for now.+ return (null: any); } function getOutlinedModel<T>(@@ -597,7 +866,7 @@ reference: string, parentObject: Object, key: string,- map: (response: Response, model: any) => T,+ map: (response: Response, model: any, parentObject: Object, key: string) => T, ): T { const path = reference.split(':'); const id = parseInt(path[0], 16);@@ -612,28 +881,79 @@ case INITIALIZED: let value = chunk.value; for (let i = 1; i < path.length; i++) {- value = value[path[i]];+ // The server doesn't have any lazy references but we unwrap Chunks here in the same way as the client.+ while (value instanceof ReactPromise) {+ const referencedChunk: SomeChunk<any> = value;+ switch (referencedChunk.status) {+ case RESOLVED_MODEL:+ initializeModelChunk(referencedChunk);+ break;+ }+ switch (referencedChunk.status) {+ case INITIALIZED: {+ value = referencedChunk.value;+ break;+ }+ case BLOCKED:+ case PENDING: {+ return waitForReference(+ referencedChunk,+ parentObject,+ key,+ response,+ map,+ path.slice(i - 1),+ );+ }+ default: {+ // This is an error. Instead of erroring directly, we're going to encode this on+ // an initialization handler so that we can catch it at the nearest Element.+ if (initializingHandler) {+ initializingHandler.errored = true;+ initializingHandler.value = null;+ initializingHandler.reason = referencedChunk.reason;+ } else {+ initializingHandler = {+ chunk: null,+ value: null,+ reason: referencedChunk.reason,+ deps: 0,+ errored: true,+ };+ }+ return (null: any);+ }+ }+ }+ const name = path[i];+ if (typeof value === 'object' && hasOwnProperty.call(value, name)) {+ value = value[name];+ } }- return map(response, value);+ const chunkValue = map(response, value, parentObject, key);+ // There's no Element nor Debug Info in the ReplyServer so we don't have to check those here.+ return chunkValue; case PENDING: case BLOCKED:- case CYCLIC:- const parentChunk = initializingChunk;- chunk.then(- createModelResolver(- parentChunk,- parentObject,- key,- chunk.status === CYCLIC,- response,- map,- path,- ),- createModelReject(parentChunk),- );- return (null: any);+ return waitForReference(chunk, parentObject, key, response, map, path); default:- throw chunk.reason;+ // This is an error. Instead of erroring directly, we're going to encode this on+ // an initialization handler.+ if (initializingHandler) {+ initializingHandler.errored = true;+ initializingHandler.value = null;+ initializingHandler.reason = chunk.reason;+ } else {+ initializingHandler = {+ chunk: null,+ value: null,+ reason: chunk.reason,+ deps: 0,+ errored: true,+ };+ }+ // Placeholder+ return (null: any); } } @@ -657,7 +977,7 @@ return model; } -function parseTypedArray(+function parseTypedArray<T: $ArrayBufferView | ArrayBuffer>( response: Response, reference: string, constructor: any,@@ -670,30 +990,78 @@ const key = prefix + id; // We should have this backingEntry in the store already because we emitted // it before referencing it. It should be a Blob.+ // TODO: Use getOutlinedModel to allow us to emit the Blob later. We should be able to do that now. const backingEntry: Blob = (response._formData.get(key): any); - const promise =- constructor === ArrayBuffer- ? backingEntry.arrayBuffer()- : backingEntry.arrayBuffer().then(function (buffer) {- return new constructor(buffer);- });+ const promise: Promise<ArrayBuffer> = backingEntry.arrayBuffer(); // Since loading the buffer is an async operation we'll be blocking the parent // chunk.- const parentChunk = initializingChunk;- promise.then(- createModelResolver(- parentChunk,- parentObject,- parentKey,- false,- response,- createModel,- [],- ),- createModelReject(parentChunk),- );++ let handler: InitializationHandler;+ if (initializingHandler) {+ handler = initializingHandler;
Vulnerability Existed: yes
FALSE POSITIVE
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') - packages/react-server/src/ReactFlightReplyServer.js [571]
Old Code:
```
if (newValue !== undefined) {
// $FlowFixMe[cannot-write]
value[key] = newValue;
} else {
delete value[key];
}
```
Fixed Code:
```
if (newValue !== undefined || key === '__proto__') {
// $FlowFixMe[cannot-write]
value[key] = newValue;
} else {
delete value[key];
}
```
Explanation:
The old code had a vulnerability where if `key` was `'__proto__'` and `newValue` was `undefined`, it would delete the `__proto__` property from the object. This could allow an attacker to manipulate the prototype chain of objects, potentially leading to prototype pollution. The fix ensures that when `key` is `'__proto__'`, the property is always set (even if `newValue` is `undefined`) rather than deleted, preventing unauthorized modification of the object prototype.
Vulnerability Existed: yes
TRUE POSITIVE
CWE-20 - Improper Input Validation - packages/react-server/src/ReactFlightReplyServer.js [698]
Old Code:
```
const backingEntry = response._formData.get(key);
if (backingEntry != null) {
// We assume that this is a string entry for now.
chunk = createResolvedModelChunk(response, (backingEntry: any), id);
```
Fixed Code:
```
const backingEntry = response._formData.get(key);
if (typeof backingEntry === 'string') {
chunk = createResolvedModelChunk(response, backingEntry, id);
```
Explanation:
The old code performed insufficient type checking on `backingEntry`, assuming it was a string if not null. This could lead to type confusion or unexpected behavior if `backingEntry` is not a string (e.g., a Blob or other object). The fix adds explicit type validation (`typeof backingEntry === 'string'`) to ensure only string entries are used, preventing potential security issues from improper type handling.
Vulnerability Existed: not sure
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') - packages/react-server/src/ReactFlightReplyServer.js [571]
Old Code:
```
if (newValue !== undefined) {
// $FlowFixMe[cannot-write]
value[key] = newValue;
} else {
delete value[key];
}
```
Fixed Code:
```
if (newValue !== undefined || key === '__proto__') {
// $FlowFixMe[cannot-write]
value[key] = newValue;
} else {
delete value[key];
}
```
Explanation:
The fix also addresses a potential prototype pollution vulnerability by preventing deletion of the `__proto__` property. However, the exact impact is uncertain without more context on how `key` is derived and controlled. The change ensures that `__proto__` is never deleted, which could mitigate attacks that rely on removing prototype properties to alter object behavior.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react-test-renderer/package.json 2025-12-04 09:13:53.612177400 +0000+++ cache/react_v19.2.1/packages/react-test-renderer/package.json 2025-12-04 09:13:56.176342117 +0000@@ -1,6 +1,6 @@ { "name": "react-test-renderer",- "version": "19.2.0",+ "version": "19.2.1", "description": "React package for snapshot testing.", "main": "index.js", "repository": {@@ -19,11 +19,11 @@ }, "homepage": "https://react.dev/", "dependencies": {- "react-is": "^19.2.0",+ "react-is": "^19.2.1", "scheduler": "^0.27.0" }, "peerDependencies": {- "react": "^19.2.0"+ "react": "^19.2.1" }, "files": [ "LICENSE",
Vulnerability Existed: no
CWE Name: N/A - CWE ID: N/A - File: packages/react-test-renderer/package.json Lines: 1-30
Old Code:
```json
{
"name": "react-test-renderer",
"version": "19.2.0",
"description": "React package for snapshot testing.",
"main": "index.js",
"repository": {
"type": "git",
"url": "https://github.com/facebook/react.git",
"directory": "packages/react-test-renderer"
},
"keywords": [
"react",
"react-native",
"react-testing"
],
"license": "MIT",
"bugs": {
"url": "https://github.com/facebook/react/issues"
},
"homepage": "https://react.dev/",
"dependencies": {
"react-is": "^19.2.0",
"scheduler": "^0.27.0"
},
"peerDependencies": {
"react": "^19.2.0"
},
"files": [
"LICENSE",
```
Fixed Code:
```json
{
"name": "react-test-renderer",
"version": "19.2.1",
"description": "React package for snapshot testing.",
"main": "index.js",
"repository": {
"type": "git",
"url": "https://github.com/facebook/react.git",
"directory": "packages/react-test-renderer"
},
"keywords": [
"react",
"react-native",
"react-testing"
],
"license": "MIT",
"bugs": {
"url": "https://github.com/facebook/react/issues"
},
"homepage": "https://react.dev/",
"dependencies": {
"react-is": "^19.2.1",
"scheduler": "^0.27.0"
},
"peerDependencies": {
"react": "^19.2.1"
},
"files": [
"LICENSE",
```
Explanation:
The changes in this diff are version updates from 19.2.0 to 19.2.1 for the package itself and its dependencies. This appears to be a routine version bump, likely for a patch release. There are no modifications to code logic, configuration settings, or security-related fixes. The changes only update version numbers in the package.json file, which does not indicate a security vulnerability fix.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/react/package.json 2025-12-04 09:13:53.616177657 +0000+++ cache/react_v19.2.1/packages/react/package.json 2025-12-04 09:13:56.180342374 +0000@@ -4,7 +4,7 @@ "keywords": [ "react" ],- "version": "19.2.0",+ "version": "19.2.1", "homepage": "https://react.dev/", "bugs": "https://github.com/facebook/react/issues", "license": "MIT",
Vulnerability Existed: no CWE Name: N/A - CWE ID: N/A - File: packages/react/package.json Lines: 7 Old Code: ```json "version": "19.2.0", ``` Fixed Code: ```json "version": "19.2.1", ``` Explanation: This change only updates the version number from 19.2.0 to 19.2.1. Version bumps are routine maintenance updates and do not inherently indicate a security vulnerability fix. While a version change could be part of a security release, the diff alone shows no code changes that would suggest a specific vulnerability was addressed. Therefore, no vulnerability is evident in this diff.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/packages/shared/ReactVersion.js 2025-12-04 09:13:53.624178172 +0000+++ cache/react_v19.2.1/packages/shared/ReactVersion.js 2025-12-04 09:13:56.192343145 +0000@@ -12,4 +12,4 @@ // TODO: This module is used both by the release scripts and to expose a version // at runtime. We should instead inject the version number as part of the build // process, and use the ReactVersions.js module as the single source of truth.-export default '19.2.0';+export default '19.2.1';
Vulnerability Existed: no No specific CWE - N/A - packages/shared/ReactVersion.js Lines 12 Old Code: `export default '19.2.0';` Fixed Code: `export default '19.2.1';` Explanation: This change only updates the version number from 19.2.0 to 19.2.1. It does not modify any logic, add or remove features, or fix any security-related code. Version bumps are routine maintenance and do not inherently indicate a security vulnerability fix. Without additional context from the diff, this appears to be a standard version update.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
--- cache/react_v19.2.0/scripts/rollup/build-all-release-channels.js 2025-12-04 09:13:53.640179199 +0000+++ cache/react_v19.2.1/scripts/rollup/build-all-release-channels.js 2025-12-04 09:13:56.212344429 +0000@@ -124,25 +124,34 @@ throw new Error(`Unknown release channel ${argv.releaseChannel}`); } } else {- // Running locally, no concurrency. Move each channel's build artifacts into- // a temporary directory so that they don't conflict.- buildForChannel('stable', '', '');- const stableDir = tmp.dirSync().name;- crossDeviceRenameSync('./build', stableDir);- processStable(stableDir);- buildForChannel('experimental', '', '');- const experimentalDir = tmp.dirSync().name;- crossDeviceRenameSync('./build', experimentalDir);- processExperimental(experimentalDir);+ const releaseChannel = argv.releaseChannel;+ if (releaseChannel === 'stable') {+ buildForChannel('stable', '', '');+ processStable('./build');+ } else if (releaseChannel === 'experimental') {+ buildForChannel('experimental', '', '');+ processExperimental('./build');+ } else {+ // Running locally, no concurrency. Move each channel's build artifacts into+ // a temporary directory so that they don't conflict.+ buildForChannel('stable', '', '');+ const stableDir = tmp.dirSync().name;+ crossDeviceRenameSync('./build', stableDir);+ processStable(stableDir);+ buildForChannel('experimental', '', '');+ const experimentalDir = tmp.dirSync().name;+ crossDeviceRenameSync('./build', experimentalDir);+ processExperimental(experimentalDir); - // Then merge the experimental folder into the stable one. processExperimental- // will have already removed conflicting files.- //- // In CI, merging is handled by the GitHub Download Artifacts plugin.- mergeDirsSync(experimentalDir + '/', stableDir + '/');+ // Then merge the experimental folder into the stable one. processExperimental+ // will have already removed conflicting files.+ //+ // In CI, merging is handled by the GitHub Download Artifacts plugin.+ mergeDirsSync(experimentalDir + '/', stableDir + '/'); - // Now restore the combined directory back to its original name- crossDeviceRenameSync(stableDir, './build');+ // Now restore the combined directory back to its original name+ crossDeviceRenameSync(stableDir, './build');+ } } }
Vulnerability Existed: no
CWE-73: External Control of File or Directory Name - scripts/rollup/build-all-release-channels.js Lines 124-159
Old Code:
```javascript
} else {
// Running locally, no concurrency. Move each channel's build artifacts into
// a temporary directory so that they don't conflict.
buildForChannel('stable', '', '');
const stableDir = tmp.dirSync().name;
crossDeviceRenameSync('./build', stableDir);
processStable(stableDir);
buildForChannel('experimental', '', '');
const experimentalDir = tmp.dirSync().name;
crossDeviceRenameSync('./build', experimentalDir);
processExperimental(experimentalDir);
// Then merge the experimental folder into the stable one. processExperimental
// will have already removed conflicting files.
//
// In CI, merging is handled by the GitHub Download Artifacts plugin.
mergeDirsSync(experimentalDir + '/', stableDir + '/');
// Now restore the combined directory back to its original name
crossDeviceRenameSync(stableDir, './build');
}
```
Fixed Code:
```javascript
} else {
const releaseChannel = argv.releaseChannel;
if (releaseChannel === 'stable') {
buildForChannel('stable', '', '');
processStable('./build');
} else if (releaseChannel === 'experimental') {
buildForChannel('experimental', '', '');
processExperimental('./build');
} else {
// Running locally, no concurrency. Move each channel's build artifacts into
// a temporary directory so that they don't conflict.
buildForChannel('stable', '', '');
const stableDir = tmp.dirSync().name;
crossDeviceRenameSync('./build', stableDir);
processStable(stableDir);
buildForChannel('experimental', '', '');
const experimentalDir = tmp.dirSync().name;
crossDeviceRenameSync('./build', experimentalDir);
processExperimental(experimentalDir);
// Then merge the experimental folder into the stable one. processExperimental
// will have already removed conflicting files.
//
// In CI, merging is handled by the GitHub Download Artifacts plugin.
mergeDirsSync(experimentalDir + '/', stableDir + '/');
// Now restore the combined directory back to its original name
crossDeviceRenameSync(stableDir, './build');
}
}
```
Explanation:
The change introduces a conditional branch to handle the `releaseChannel` argument when running locally. Previously, the code always built both stable and experimental channels sequentially, moving artifacts to temporary directories to avoid conflicts. The new code allows building only one channel (stable or experimental) if specified, using the current directory directly without moving files. This is a functional improvement for local development, not a security fix. There is no evidence of a vulnerability being addressed; the change enhances build flexibility and efficiency. The temporary directory names are still generated securely via `tmp.dirSync()`, and file operations remain controlled by the build script without external influence.
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.