New React Server Components Vulnerabilities Expose Applications to DoS Attacks and Source Code Leaks
In the wake of addressing the critical React2Shell vulnerability, the React development team has identified three additional security flaws within React Server Components (RSC). These newly discovered issues pose significant risks, including potential Denial-of-Service (DoS) attacks and unauthorized exposure of server-side source code.
Background on React Server Components
React Server Components are a pivotal feature in modern web development, enabling developers to build applications that seamlessly integrate server-side rendering with client-side interactivity. This architecture enhances performance and user experience by allowing components to be rendered on the server and sent to the client as needed.
Details of the New Vulnerabilities
The recent vulnerabilities were uncovered by security researchers who were investigating potential bypasses for the previously patched React2Shell exploit. While the initial patch effectively mitigated the Remote Code Execution (RCE) risk, these new flaws introduce additional concerns:
1. Denial-of-Service (DoS) Vulnerability (CVE-2025-55184): This high-severity issue arises when a maliciously crafted HTTP request is sent to a Server Functions endpoint. The request can trigger an infinite loop during React’s deserialization process, leading to excessive CPU consumption and rendering the application unresponsive.
2. Patch Bypass Leading to DoS (CVE-2025-67779): Another high-severity vulnerability that allows attackers to circumvent previous patches, resulting in similar DoS conditions.
3. Source Code Exposure (CVE-2025-55183): This medium-severity flaw enables attackers to manipulate HTTP requests to leak the source code of Server Functions. While runtime secrets like environment variables remain secure, any hardcoded secrets or logic within the function could be exposed.
Affected Versions and Immediate Actions
The vulnerabilities impact the following React Server Components packages:
– `react-server-dom-webpack`
– `react-server-dom-parcel`
– `react-server-dom-turbopack`
Users of frameworks such as Next.js, Waku, and React Router are likely affected. Notably, the initial patches released earlier this week were incomplete. If you are currently running versions 19.0.2, 19.1.3, or 19.2.2, your application remains vulnerable to the DoS exploit (CVE-2025-67779).
Recommended Upgrades:
– 19.0.x branch: Upgrade to 19.0.3
– 19.1.x branch: Upgrade to 19.1.4
– 19.2.x branch: Upgrade to 19.2.3
The React team emphasizes the urgency of these updates, drawing parallels to the Log4Shell incident, where subsequent vulnerabilities were discovered following a high-profile disclosure. Credit for these discoveries goes to researchers Andrew MacPherson, RyotaK, and Shinsaku Nomura.
Implications for Developers and Organizations
The discovery of these vulnerabilities underscores the importance of proactive security measures in web development. Developers and organizations must:
– Stay Informed: Regularly monitor official channels for security advisories related to the technologies in use.
– Implement Prompt Patching: Apply security patches as soon as they become available to mitigate potential risks.
– Conduct Regular Security Audits: Periodically review codebases and dependencies for vulnerabilities to ensure the integrity and security of applications.
Conclusion
The recent identification of additional vulnerabilities in React Server Components highlights the evolving nature of cybersecurity threats. By promptly addressing these issues and adhering to best practices, developers and organizations can safeguard their applications against potential exploits.
