New React Server Component Vulnerabilities Expose Applications to DoS Attacks and Source Code Leaks
In the wake of addressing a critical Remote Code Execution (RCE) vulnerability, the React development team has identified and disclosed three additional security flaws within React Server Components (RSC). These newly discovered vulnerabilities pose significant risks, including Denial-of-Service (DoS) attacks and unauthorized exposure of server-side source code.
Background on React Server Components
React Server Components (RSC) are a feature of the React framework designed to enhance performance by allowing components to be rendered on the server. This approach reduces the amount of JavaScript sent to the client, leading to faster load times and improved user experiences. However, the complexity of server-side rendering introduces potential security challenges, as evidenced by recent discoveries.
Details of the New Vulnerabilities
The React team, in collaboration with security researchers, has identified the following vulnerabilities:
1. Denial-of-Service (DoS) Vulnerability (CVE-2025-55184): This high-severity flaw allows an attacker to send a specially crafted HTTP request to a Server Functions endpoint, triggering an infinite loop during React’s deserialization process. This loop consumes CPU resources, causing the server to become unresponsive and effectively taking the application offline.
2. Denial-of-Service via Patch Bypass (CVE-2025-67779): Also rated as high severity, this vulnerability involves a bypass of previous patches, leading to similar DoS conditions. Attackers can exploit this flaw to render applications unavailable by overwhelming server resources.
3. Source Code Exposure (CVE-2025-55183): This medium-severity issue enables attackers to manipulate HTTP requests in a manner that leaks the source code of Server Functions. While runtime secrets like environment variables remain secure, any hardcoded secrets or business logic within the function could be exposed, potentially leading to further exploitation.
Affected Versions and Immediate Actions
The vulnerabilities impact the following React Server Component packages:
– `react-server-dom-webpack`
– `react-server-dom-parcel`
– `react-server-dom-turbopack`
Users of frameworks such as Next.js, Waku, and React Router are likely affected due to their reliance on these packages.
The initial patches released earlier this week were found to be incomplete. Therefore, developers must upgrade to the following versions immediately to mitigate these vulnerabilities:
– For the 19.0.x branch: Upgrade to version 19.0.3
– For the 19.1.x branch: Upgrade to version 19.1.4
– For the 19.2.x branch: Upgrade to version 19.2.3
Implications for Developers and Organizations
The discovery of these vulnerabilities underscores the importance of proactive security measures in software development. For developers and organizations utilizing React Server Components, the following steps are recommended:
1. Immediate Patching: Ensure that all applications are updated to the latest patched versions as specified above.
2. Code Review: Conduct thorough reviews of server-side code to identify and remove any hardcoded secrets or sensitive information that could be exposed.
3. Monitoring and Logging: Implement robust monitoring to detect unusual patterns that may indicate exploitation attempts, such as unexpected spikes in CPU usage or unauthorized access attempts.
4. Security Training: Educate development teams on secure coding practices, particularly concerning deserialization processes and input validation, to prevent similar vulnerabilities in the future.
Broader Context and Industry Response
The React team’s swift identification and disclosure of these vulnerabilities highlight the collaborative nature of the open-source community in addressing security issues. This proactive approach is crucial in maintaining the trust and reliability of widely used frameworks.
Security researchers Andrew MacPherson, RyotaK, and Shinsaku Nomura have been credited with discovering these flaws. Their contributions exemplify the critical role that independent researchers play in enhancing software security.
The React team has noted that discovering follow-up vulnerabilities is common after a high-profile disclosure. They draw parallels to the Log4Shell incident, where community probing uncovered adjacent flaws. This pattern underscores the need for continuous vigilance and prompt response to emerging threats.
Conclusion
The recent identification of additional vulnerabilities in React Server Components serves as a stark reminder of the evolving nature of cybersecurity threats. Developers and organizations must remain vigilant, promptly apply patches, and adhere to best practices to safeguard their applications and user data. By fostering a culture of security awareness and proactive defense, the community can collectively mitigate risks and enhance the resilience of web applications.
