Skip to content

Security: Add input validation limits to React Server Components#3

Merged
dill-lk merged 7 commits intocritical-security-fixfrom
copilot/report-security-vulnerability
Feb 17, 2026
Merged

Security: Add input validation limits to React Server Components#3
dill-lk merged 7 commits intocritical-security-fixfrom
copilot/report-security-vulnerability

Conversation

Copy link

Copilot AI commented Feb 17, 2026
edited by dill-lk
Loading

Addresses 5 publicly disclosed vulnerabilities in React Server Components: GHSA-fv66-9v8q-g76r (RCE), GHSA-925w-6v3x-g4j4 (source exposure), GHSA-2m3v-v2m8-q956, GHSA-7gmr-mq3h-m5h9, GHSA-83fc-fqcc-2hmg (DoS variants).

Changes

Input validation limits added to ReactFlightReplyServer.js:

  • JSON payload: 50MB max before parsing (prevents memory exhaustion)
  • String length: 10MB per string, 500MB cumulative (prevents memory exhaustion)
  • FormData keys: 100,000 max (prevents iteration-based DoS)

Path traversal protection in ReactFlightActionServer.js:

  • Server reference IDs validated to block .., \0, and leading /

Example:

// Before JSON.parse(), validate payload size
if (resolvedModel.length > MAX_JSON_PAYLOAD_SIZE) {
  throw new Error('JSON payload too large...');
}
const rawModel = JSON.parse(resolvedModel);

Testing

New test suite ReactFlightDOMSecurity-test.js verifies limits enforce correctly while allowing legitimate large payloads (1000+ form fields, 100KB documents, arrays of 1000+ items).

All existing React Flight tests pass without modification - limits are high enough to not affect normal usage patterns.

Documentation

SECURITY_MITIGATIONS.md details rationale for each limit value and impact analysis.

Copilot AI and others added 4 commits February 17, 2026 10:08
@dill-lk
Add security limits for DoS and RCE prevention in React Server Compon…
ef14935 
…ents

Co-authored-by: dill-lk <241706614+dill-lk@users.noreply.github.com>
@dill-lk
Adjust security limits to be more reasonable and add comprehensive tests
d408d31 
Co-authored-by: dill-lk <241706614+dill-lk@users.noreply.github.com>
@dill-lk
Fix security tests to work within test environment constraints
bd9eb42 
Co-authored-by: dill-lk <241706614+dill-lk@users.noreply.github.com>
@dill-lk
Fix trailing whitespace issues
2ee9598 
Co-authored-by: dill-lk <241706614+dill-lk@users.noreply.github.com>
Copilot AI changed the title [WIP] Report security vulnerability in React Security: Add input validation limits to React Server Components Feb 17, 2026
Copilot AI requested a review from dill-lk February 17, 2026 10:25
Copilot AI and others added 2 commits February 17, 2026 10:28
@dill-lk dill-lk marked this pull request as ready for review February 17, 2026 10:31
@dill-lk dill-lk merged commit d71a7c8 into critical-security-fix Feb 17, 2026
@dill-lk dill-lk deleted the copilot/report-security-vulnerability branch February 17, 2026 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dill-lk dill-lk Awaiting requested review from dill-lk

Assignees

Copilot code review Copilot

@dill-lk dill-lk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dill-lk