New React RSC Vulnerabilities Expose Systems to DoS Attacks and Source Code Leaks
The React development team has recently addressed two significant vulnerabilities within React Server Components (RSC) that could potentially lead to denial-of-service (DoS) attacks and unauthorized exposure of source code. These issues were identified by the security community during efforts to exploit patches for a previously disclosed critical RSC vulnerability, CVE-2025-55182, which has been actively exploited in the wild.
Details of the Vulnerabilities:
1. CVE-2025-55184 (CVSS score: 7.5): This pre-authentication DoS vulnerability arises from unsafe deserialization of payloads from HTTP requests to Server Function endpoints. Exploitation can trigger an infinite loop, causing the server process to hang and potentially preventing it from serving future HTTP requests.
2. CVE-2025-67779 (CVSS score: 7.5): This issue is an incomplete fix for CVE-2025-55184 and has the same impact, leading to potential DoS conditions.
3. CVE-2025-55183 (CVSS score: 5.3): This information leak vulnerability allows a specifically crafted HTTP request sent to a vulnerable Server Function to return the source code of any Server Function. Successful exploitation requires the existence of a Server Function that explicitly or implicitly exposes an argument converted into a string format.
Affected Versions:
The vulnerabilities impact the following versions of the `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack` packages:
– CVE-2025-55184 and CVE-2025-55183: Versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1.
– CVE-2025-67779: Versions 19.0.2, 19.1.3, and 19.2.2.
Acknowledgments:
The React team has credited security researchers RyotaK and Shinsaku Nomura for reporting the two DoS vulnerabilities to the Meta Bug Bounty program. Additionally, Andrew MacPherson has been acknowledged for reporting the information leak flaw.
Recommendations:
Users are strongly advised to update to versions 19.0.3, 19.1.4, and 19.2.3 as soon as possible, especially considering the active exploitation of CVE-2025-55182. The React team emphasized that when a critical vulnerability is disclosed, researchers often scrutinize adjacent code paths to identify variant exploit techniques, which can lead to additional disclosures. While this may be frustrating, it is generally indicative of a healthy response cycle.
Background on CVE-2025-55182:
The previously disclosed vulnerability, CVE-2025-55182, also known as React2Shell, is a critical security flaw in RSC that allows unauthenticated remote code execution. This vulnerability has been actively exploited in the wild, prompting the React team to release patches and the security community to investigate further, leading to the discovery of the new vulnerabilities.
Implications for Developers:
These vulnerabilities highlight the importance of secure coding practices, especially when handling deserialization processes and managing server functions. Developers should ensure that their applications are updated to the latest versions to mitigate these risks. Additionally, implementing robust input validation and sanitization can help prevent similar vulnerabilities in the future.
Conclusion:
The discovery and patching of these new vulnerabilities in React Server Components underscore the ongoing challenges in maintaining secure web applications. By staying vigilant and promptly applying updates, developers can protect their applications from potential exploits and ensure a safer user experience.
