top of page
Search

Newly Discovered React RSC Vulnerabilities Enable Denial-of-Service and Source Code Exposure

  • Dec 12, 2025
  • 3 min read

Key Findings


  • CVE-2025-55184 (CVSS 7.5) - A pre-authentication denial of service vulnerability in React Server Components (RSC) that can trigger an infinite loop and hang the server process

  • CVE-2025-67779 (CVSS 7.5) - An incomplete fix for CVE-2025-55184 with the same impact

  • CVE-2025-55183 (CVSS 5.3) - An information leak vulnerability that may expose the source code of a vulnerable Server Function


Background


The React team has released fixes for three new vulnerabilities in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. These issues were discovered by security researchers while attempting to exploit the patches released for CVE-2025-55182, a critical remote code execution (RCE) vulnerability in RSC that has since been weaponized in the wild.


CVE-2025-55184 and CVE-2025-67779: Denial of Service


  • These High severity flaws (CVSS 7.5) allow an attacker to trigger an infinite loop on the server by sending a malicious HTTP request to a vulnerable RSC endpoint.

  • The infinite loop consumes the server's CPU resources, effectively locking up the system and preventing future requests from being served.

  • Crucially, this vulnerability is not limited to applications that actively use RSC; even apps that simply support RSC can be affected.


CVE-2025-55183: Source Code Exposure


  • This Medium severity vulnerability (CVSS 5.3) can lead to the disclosure of a vulnerable Server Function's source code.

  • Exploitation requires that the Server Function "explicitly or implicitly exposes a stringified argument", which could potentially leak sensitive logic or internal database keys.

  • While not as severe as the DoS issues, source code exposure can still pose a significant risk to the confidentiality of the application.


Affected Versions and Mitigation


The vulnerabilities affect the following versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack:


  • CVE-2025-55184 and CVE-2025-55183: 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1

  • CVE-2025-67779: 19.0.2, 19.1.3, and 19.2.2


Users are advised to update to versions 19.0.3, 19.1.4, and 19.2.3 as soon as possible to address these vulnerabilities, especially in light of active exploitation of the previous RCE flaw (CVE-2025-55182).


Background


The React team has released fixes for three new vulnerabilities in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. These issues were discovered by security researchers while attempting to exploit the patches released for CVE-2025-55182, a critical remote code execution (RCE) vulnerability in RSC that has since been weaponized in the wild.


CVE-2025-55184 and CVE-2025-67779: Denial of Service


  • These High severity flaws (CVSS 7.5) allow an attacker to trigger an infinite loop on the server by sending a malicious HTTP request to a vulnerable RSC endpoint.

  • The infinite loop consumes the server's CPU resources, effectively locking up the system and preventing future requests from being served.

  • Crucially, this vulnerability is not limited to applications that actively use RSC; even apps that simply support RSC can be affected.


CVE-2025-55183: Source Code Exposure


  • This Medium severity vulnerability (CVSS 5.3) can lead to the disclosure of a vulnerable Server Function's source code.

  • Exploitation requires that the Server Function "explicitly or implicitly exposes a stringified argument", which could potentially leak sensitive logic or internal database keys.

  • While not as severe as the DoS issues, source code exposure can still pose a significant risk to the confidentiality of the application.


Affected Versions and Mitigation


The vulnerabilities affect the following versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack:


  • CVE-2025-55184 and CVE-2025-55183: 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1

  • CVE-2025-67779: 19.0.2, 19.1.3, and 19.2.2


Users are advised to update to versions 19.0.3, 19.1.4, and 19.2.3 as soon as possible to address these vulnerabilities, especially in light of active exploitation of the previous RCE flaw (CVE-2025-55182).


Sources


  • https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html

  • https://securityonline.info/react-patches-two-new-flaws-risking-server-crashing-dos-and-source-code-disclosure/

  • https://news.ycombinator.com/item?id=46236924

  • https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

  • https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/

  • https://www.clever.cloud/blog/company/2025/12/09/critical-vulnerability-in-react-server-components-and-next-js-what-clever-cloud-customers-must-do/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page