New React RSC Vulnerabilities Enable DoS and Source Code Exposure

The React team has released patches for two new types of vulnerabilities in React Server Components (RSC) that could allow attackers to execute denial-of-service attacks or expose server-side source code. These flaws were discovered by security researchers while investigating the previously patched critical vulnerability CVE-2025-55182.

Security experts found these weaknesses in the wake of ongoing exploitation of the earlier critical RSC vulnerability. The discovery highlights how researchers often scrutinize adjacent code paths following major security disclosures to test if initial mitigations can be bypassed.

Understanding the vulnerabilities

The three vulnerabilities addressed in this update include two denial-of-service issues and one information leak vulnerability:

CVE-2025-55184 (CVSS score: 7.5) involves unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This pre-authentication vulnerability can trigger an infinite loop that hangs the server process and potentially blocks future HTTP requests, creating conditions similar to those seen in sophisticated distributed denial-of-service attacks that can cripple online services.

CVE-2025-67779 (CVSS score: 7.5) represents an incomplete fix for CVE-2025-55184 with the same impact on systems. This demonstrates how initial security patches sometimes require further refinement.

CVE-2025-55183 (CVSS score: 5.3) is an information leak vulnerability allowing specially crafted HTTP requests to return the source code of any Server Function. Exploitation requires the existence of a Server Function that explicitly or implicitly exposes an argument converted to string format.

These security issues affect multiple versions of React server-side rendering packages, including:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack across versions 19.0.0 through 19.2.2

Technical exploitation details

The denial-of-service vulnerabilities exploit how React Server Components process incoming HTTP requests. Attackers can craft malicious payloads that, when deserialized by the server, create computational conditions that effectively freeze the application. This represents a serious threat to application availability and underscores the importance of implementing robust cybersecurity measures across all application layers.

Impact on organizations

Organizations using React Server Components in production environments face significant risks if they don't update promptly. The denial-of-service vulnerabilities could be particularly damaging to business continuity, as they could render applications unresponsive.

"When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed," the React team explained. "This pattern shows up across the industry, not just in JavaScript. Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle."

The source code exposure vulnerability presents additional concerns, as it could reveal proprietary business logic, security implementations, or even hardcoded credentials if present in the code.

React's widespread adoption across modern web applications means these vulnerabilities potentially affect thousands of organizations. Companies in finance, healthcare, e-commerce, and other sectors using React for customer-facing applications should prioritize these updates.

Business implications

For businesses relying on React-based applications, these vulnerabilities could lead to:

• Service interruptions causing lost revenue and damaged customer trust
• Intellectual property exposure through leaked source code
• Potential regulatory compliance issues if sensitive systems are affected
• Increased security team burden due to emergency patching requirements

Organizations should incorporate these vulnerabilities into their risk assessment frameworks and consider how comprehensive website security strategies can prevent exploitation of similar vulnerabilities in the future.

Mitigation and recommendations

Users are strongly advised to update to the fixed versions as soon as possible:

• Version 19.0.3 (for 19.0.x users)
• Version 19.1.4 (for 19.1.x users)
• Version 19.2.3 (for 19.2.x users)

This update is particularly urgent given the active exploitation of the earlier CVE-2025-55182 vulnerability, which received the maximum CVSS score of 10.0, indicating critical severity.

For organizations that cannot immediately update, implementing web application firewalls (WAFs) with rules to detect and block suspicious payloads may provide some temporary protection. However, these should be considered stopgap measures rather than permanent solutions.

Development teams should also conduct code reviews of their Server Functions to identify any that might expose arguments in string format, which could make them vulnerable to the source code exposure issue.

Proactive security measures

Beyond immediate patching, organizations should consider implementing:

1. Continuous vulnerability scanning for React-based applications
2. Runtime application self-protection (RASP) solutions to detect and block exploitation attempts
3. Security testing specifically targeting RSC implementations
4. Dependency monitoring to receive alerts about future security issues

The React team's transparent communication about these vulnerabilities helps organizations understand not only the technical details but also the broader security landscape. This transparency builds trust within the developer community while enabling teams to make informed decisions about their security posture.

As modern web development continues to embrace server-side rendering approaches like React Server Components, maintaining vigilance around emerging security threats becomes increasingly important for development and security teams alike.

Recognition and credit

Security researchers RyotaK and Shinsaku Nomura identified and reported the two denial-of-service vulnerabilities to Meta's Bug Bounty program. Andrew MacPherson discovered and reported the information leak flaw.

This collaboration between independent security researchers and the React team exemplifies how the security community works together to protect the software supply chain. Such responsible disclosure practices allow development teams to address vulnerabilities before they become widely exploited.

Organizations can learn from this example by establishing their own vulnerability disclosure programs and maintaining relationships with security researchers who can provide early warnings about potential issues in their technology stack. According to NIST's guidelines on vulnerability disclosure, formal vulnerability disclosure processes significantly improve security posture and response times.