https://spaceraccoon.github.io/vulnerability-spoiler-alert Vulnerability alerts for facebook/react en-us Fri, 17 Apr 2026 02:58:17 GMT https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/126 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/126 Mon, 30 Mar 2026 17:16:08 GMT The compiler playground parsed user-supplied config overrides using `new Function(...)`, which executes arbitrary JavaScript code in the browser context. An attacker could craft a malicious URL with a base64/encoded config payload containing arbitrary JS, which when shared and opened by a victim, would execute the attacker's code in the victim's browser. The patch replaces `new Function(...)` with JSON5 parsing, which only allows data literals and rejects executable code. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/78 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/78 Tue, 17 Mar 2026 11:03:07 GMT The `$B` (Blob) case in `parseModelString` did not validate that the FormData entry was actually a Blob before returning it. Since `FormData.get()` can return either a string or a Blob/File, an attacker could craft a malformed Server Action payload that stores a large string under a key and references it via `$B`, bypassing the `bumpArrayCount` size guard that applies to regular string values. The patch adds an `instanceof Blob` check that throws an error if the backing entry is not a real Blob, closing this bypass. While the PR notes this doesn't produce meaningful amplification on its own, it is a defense-in-depth fix against potential combined attacks. low unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/40 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/40 Thu, 19 Feb 2026 17:05:56 GMT The original code used JSON.parse with a reviver function that could potentially allow __proto__ property manipulation during RSC payload deserialization. The patch explicitly deletes __proto__ keys during the walking phase and moves away from the reviver approach to prevent prototype pollution attacks. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/3 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/3 Tue, 10 Feb 2026 13:07:10 GMT The code had improper path resolution that allowed attackers to access files outside the intended directory structure. The patch fixes relative path resolution by properly normalizing paths relative to PROJECT_ROOT instead of allowing arbitrary relative paths from the current working directory. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/2 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/2 Tue, 10 Feb 2026 13:06:22 GMT The recursive traversal of async node chains in visitAsyncNode causes stack overflow when processing deep async sequences. Database libraries creating long linear chains of async operations can trigger this DoS condition. The patch converts recursive traversal to iterative to prevent stack exhaustion. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/1 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/1 Tue, 10 Feb 2026 13:04:53 GMT The code incorrectly checked for debugChannel existence instead of debugChannelReadable, causing the server to signal debug info availability even with write-only channels. This could cause clients to block indefinitely waiting for debug data that never arrives, resulting in a denial of service condition. medium unverified