The two new security issues in React Server Components include denial-of-service vulnerabilities (CVE-2025-55184 and CVE-2025-67779) and an information leak flaw (CVE-2025-55183), prompting an urgent call for users to update their versions of the affected libraries.
The three recently disclosed vulnerabilities affect the React Server Components framework. The first, CVE-2025-55184, is a denial-of-service vulnerability with a CVSS score of 7.5. It results from unsafe deserialization of payloads in HTTP requests sent to Server Function endpoints, which can trigger an infinite loop. This loop causes the server process to hang, preventing it from serving future HTTP requests. A subsequent issue, CVE-2025-67779, also with a CVSS score of 7.5, was found to be an incomplete fix for CVE-2025-55184 and has the same impact.
The third vulnerability, CVE-2025-55183, is an information leak with a lower CVSS score of 5.3. This flaw allows a specially constructed HTTP request sent to a vulnerable Server Function to return the source code of any other Server Function. However, successful exploitation of this code exposure flaw requires the target Server Function to explicitly or implicitly expose an argument that has been converted into a string format.
The vulnerabilities affect multiple versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Specifically, CVE-2025-55184 and CVE-2025-55183 impact versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1. The incomplete fix, CVE-2025-67779, affects versions 19.0.2, 19.1.3, and 19.2.2. Security researchers RyotaK and Shinsaku Nomura were credited with reporting the two denial-of-service flaws, and Andrew MacPherson was acknowledged for reporting the information leak issue through the Meta Bug Bounty program.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Given the active exploitation of the earlier critical vulnerability, CVE-2025-55182, users are strongly urged to update their installations to the patched versions as quickly as possible. The recommended secure versions are 19.0.3, 19.1.4, and 19.2.3. The React team explained that the discovery of these new flaws, which emerged while researchers scrutinized adjacent code paths following the initial disclosure, is a common industry pattern and a sign of a healthy response cycle to a critical vulnerability.
The newly fixed flaws could have serious consequences, including rendering a server completely unusable or exposing proprietary source code to attackers. The swift response from the React team in patching these issues, even as they arose from scrutiny of a previous patch, underscores the importance of a vigilant security posture in software development.
Source: New React RSC Vulnerabilities Enable DoS And Source Code Exposure
Good coverage of the RSC vuln chain. The incomplete fix turning into another CVE is pretty typical when deserialization logic gets patched under time pressure. The source code leak via stringified arguments is clever, though realistically most Server Functions probly don't expose enough context to make that exploitable at scale without already knowing the app architecture.