AIKIDO-2026-11167
view_component is vulnerable to Information Disclosure
68
Medium Risk
This Affects:
view_componentTL;DR
ViewComponent component instances memoize controller, helpers, request, and related render-scoped state on first render. Reusing the same instance across different view contexts can serve stale privileged UI, user identity, host data, or slot child context from an earlier render. This can leak data across requests, sessions, users, or threads when components are cached in registries or shared collections. The fix resets render-scoped state at the start of each render_in call and rebuilds collection child instances per render.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your application reuses the same component, collection, or spacer instance across renders with different view contexts.
Background info
view_component is vulnerable to Information Disclosure in versions 4.0.0 - 4.11.0.
How to fix this
Upgrade the view_component library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant