React Server Components Security Alert: DoS and Source Code Exposure Vulnerabilities
Critical Security Advisory: React Server Components Vulnerabilities
On December 11, 2025, the React team disclosed two additional security vulnerabilities in React Server Components. These were discovered by security researchers while probing the patches from last week's critical React2Shell vulnerability.
The good news: These new vulnerabilities do not allow Remote Code Execution. The React2Shell patch remains effective.
The concerning news: These are still serious vulnerabilities requiring immediate action.
Vulnerabilities Overview
1. High Severity: Denial of Service (DoS)
CVEs: CVE-2025-55184 and CVE-2025-67779
CVSS Score: 7.5 (High)
A malicious HTTP request can trigger an infinite loop when deserialized by React, causing the server process to hang and consume CPU resources. This can:
- Deny users access to your application
- Impact server performance
- Potentially affect other services on the same infrastructure
Even apps without explicit Server Function endpoints may be vulnerable if they support React Server Components.
2. Medium Severity: Source Code Exposure
CVE: CVE-2025-55183
CVSS Score: 5.3 (Medium)
A malicious HTTP request to a vulnerable Server Function may expose the source code of that function, including any hardcoded secrets.
// Example vulnerable code
'use server';
export async function serverFunction(name) {
const conn = db.createConnection('SECRET KEY'); // ⚠️ Can be leaked!
const user = await conn.createUser(name);
return {
id: user.id,
message: `Hello, ${name}!` // Explicit stringification = leak vector
};
}
Important: Only secrets hardcoded in source code may be exposed. Runtime secrets like process.env.SECRET are not affected.
Affected Versions & Packages
Vulnerable Packages
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Vulnerable Versions
- 19.0.0, 19.0.1, 19.0.2
- 19.1.0, 19.1.1, 19.1.2, 19.1.3
- 19.2.0, 19.2.1, 19.2.2
Safe Versions
- 19.0.3, 19.1.4, 19.2.3
Affected Frameworks
- Next.js
- React Router
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk
Immediate Action Required
Step 1: Check Your Dependencies
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
Step 2: Update Immediately
# For npm
npm update react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
# For yarn
yarn upgrade react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
# For pnpm
pnpm update react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
Step 3: Verify Safe Versions
After updating, verify you're on safe versions (19.0.3, 19.1.4, or 19.2.3).
Who Is NOT Affected?
Your app is not affected if:
- Your React code does not use a server
- You don't use a framework/bundler that supports React Server Components
- You're using React Native without monorepo or react-dom dependencies
Key Takeaways
- Update immediately to versions 19.0.3, 19.1.4, or 19.2.3
- Never hardcode secrets in Server Functions - use environment variables
- Monitor for additional patches - follow-up CVEs are common after critical disclosures
- Don't rely solely on hosting provider mitigations - update your code
Timeline
| Date | Event |
|---|---|
| Dec 3 | Leak reported by Andrew MacPherson |
| Dec 4 | Initial DoS reported by RyotaK |
| Dec 6 | Issues confirmed by React team |
| Dec 7 | Initial fixes created |
| Dec 8 | Hosting providers notified |
| Dec 10 | Mitigations in place, patches verified |
| Dec 11 | Patches published, CVEs disclosed |
Credits
Thanks to the security researchers who responsibly disclosed these vulnerabilities:
- Andrew MacPherson - Source Code Exposure
- RyotaK (GMO Flatt Security Inc) - Denial of Service
- Shinsaku Nomura (Bitforest Co., Ltd.) - Additional DoS case
Further Reading
Stay secure. Update now.