Denial of Service and Source Code Exposure in React Server Components

Denial of Service and Source Code Exposure in React Server Components

React Security Advisory — December 2025

New Vulnerabilities Disclosed & Immediate Upgrade Required

Summary of Newly Disclosed Vulnerabilities

High Severity — Denial of Service

CVE-2025-55184 and CVE-2025-67779
CVSS: 7.5 (High)

Medium Severity — Source Code Exposure

CVE-2025-55183
CVSS: 5.3 (Medium)

Upgrading immediately is strongly recommended due to the severity of these newly identified vulnerabilities.

Important Notes

  • The patches published earlier are vulnerable.
  • If you previously updated for last week's Critical Security Vulnerability, you must update again.
  • Versions 19.0.2, 19.1.3, and 19.2.2 contain incomplete fixes and require updating.

Upgrade steps remain the same as outlined in the previous advisory.

Further technical details will be released once the fix rollout is complete.

Immediate Action Required

These vulnerabilities affect the same packages and versions as CVE-2025-55182.

The impacted versions include:

  • 19.0.0
  • 19.0.1
  • 19.0.2
  • 19.1.0
  • 19.1.1
  • 19.1.2
  • 19.2.0
  • 19.2.1
  • 19.2.2

Affected Packages

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Safe Versions (Fixed)

  • 19.0.3
  • 19.1.4
  • 19.2.3

Upgrade to any of these fixed versions immediately.

Apps Not Affected

You are not affected if:

  • Your React app does not use a server.
  • Your app does not use a framework/bundler that supports React Server Components.

Why Multiple Follow-Up CVEs?

Critical CVEs often lead researchers to re-inspect related code paths, discovering bypass variants.
This is a common pattern across all ecosystems.
Example: After Log4Shell, additional CVEs were reported as the community validated the original fix.

Additional disclosures indicate a healthy security response cycle, not instability.

Affected Frameworks & Bundlers

Some frameworks/bundlers depend on or embed the vulnerable packages. These include:

  • next
  • react-router
  • waku
  • @parcel/rsc
  • @vite/rsc-plugin
  • rwsdk

Upgrade steps remain the same as described previously.

Hosting Provider Mitigations

Temporary mitigations have been deployed with major hosting providers.
Do not rely on these as a long-term fix. You must update.

React Native Impact

If you use React Native:

  • Not in a monorepo: You're safe; nothing to do.

  • In a monorepo: Update only the impacted packages:

    • react-server-dom-webpack
    • react-server-dom-parcel
    • react-server-dom-turbopack

You do not need to update react or react-dom.
This avoids version mismatch errors in React Native.

More info is available via the linked issue.

Vulnerability Details

High Severity: Denial of Service

CVE-2025-55184 and CVE-2025-67779
CVSS 7.5

A malicious HTTP request sent to any Server Functions endpoint can cause an infinite loop during deserialization, hanging the server process and consuming CPU.

Apps supporting React Server Components may be vulnerable even if they do not explicitly define Server Functions.

The published patches prevent the infinite loop behavior.

Additional Fix Notice

The initial fix for CVE-2025-55184 was incomplete.

Vulnerable versions:

  • 19.0.2
  • 19.1.3
  • 19.2.2

Safe versions:

  • 19.0.3
  • 19.1.4
  • 19.2.3

This incomplete fix resulted in a new CVE (CVE-2025-67779) which has now been addressed.

Medium Severity: Source Code Exposure

CVE-2025-55183
CVSS 5.3

A crafted HTTP request to a vulnerable Server Function may leak the source code of the function, particularly if:

  • It returns stringified arguments.
  • It implicitly or explicitly stringifies sensitive values.

Example vulnerable code:

'use server';

export async function serverFunction(name) {
  const conn = db.createConnection('SECRET KEY');
  const user = await conn.createUser(name);

  return {
    id: user.id,
    message: `Hello, ${name}!`
  };
}
Back to Blogs