React RSC Vulnerabilities Expose Source Code and Allow Denial-of-Service Attacks

Key Takeaways

• The React team has released fixes for two new types of flaws in React Server Components (RSC) that could result in denial-of-service (DoS) or source code exposure.
• The vulnerabilities, identified as CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183, have CVSS scores of 7.5, 7.5, and 5.3, respectively.
• The flaws affect versions 19.0.0 to 19.2.2 of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
• Users are advised to update to versions 19.0.3, 19.1.4, and 19.2.3 as soon as possible to prevent potential exploits.
• The React team credits security researchers RyotaK, Shinsaku Nomura, and Andrew MacPherson with reporting the vulnerabilities.

Introduction to the Vulnerabilities
The React team has recently released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. These vulnerabilities were discovered by the security community while attempting to exploit the patches released for CVE-2025-55182, a critical bug in RSC that has since been weaponized in the wild. The three vulnerabilities are identified as CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183, with CVSS scores of 7.5, 7.5, and 5.3, respectively.

Details of the Vulnerabilities
CVE-2025-55184 is a pre-authentication denial of service vulnerability that arises from unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can trigger an infinite loop that hangs the server process and may prevent future HTTP requests from being served. CVE-2025-67779 is an incomplete fix for CVE-2025-55184 and has the same impact. On the other hand, CVE-2025-55183 is an information leak vulnerability that may cause a specifically crafted HTTP request sent to a vulnerable Server Function to return the source code of any Server Function. However, successful exploitation of CVE-2025-55183 requires the existence of a Server Function that explicitly or implicitly exposes an argument that has been converted into a string format.

Affected Versions and Updates
The flaws affect versions 19.0.0 to 19.2.2 of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Specifically, CVE-2025-55184 and CVE-2025-55183 affect versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1, while CVE-2025-67779 affects versions 19.0.2, 19.1.3, and 19.2.2. To prevent potential exploits, users are advised to update to versions 19.0.3, 19.1.4, and 19.2.3 as soon as possible.

Credit to Security Researchers
The React team credits security researchers RyotaK and Shinsaku Nomura with reporting the two DoS bugs to the Meta Bug Bounty program, while Andrew MacPherson has been acknowledged for reporting the information leak flaw. The team appreciates the efforts of these researchers in identifying and reporting these vulnerabilities, which has helped to improve the security of React Server Components.

Industry Response and Best Practices
The React team notes that the pattern of additional disclosures after a critical vulnerability is disclosed is not unique to JavaScript, but is a common industry trend. When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed. This response cycle is a sign of a healthy and proactive approach to security, and the React team encourages users to stay vigilant and update their systems regularly to prevent potential exploits. By doing so, users can help to ensure the security and integrity of their systems and data.