© 2025 Alcaeus Services

EN

New React Server Components vulnerabilities disclosed

Latest Comments

No comments to show.
Last updated on 18 December 2025 | Comments 0

New React Server Components vulnerabilities disclosed

Security researchers have disclosed three new vulnerabilities in React Server Components while attempting to exploit the recent React2Shell (CVE-2025-55182) fix.

While the original Remote Code Execution mitigation remains effective, the newly discovered flaws introduce serious availability and data exposure risks.

🔓 Newly disclosed vulnerabilities

  • High Severity – Denial of Service
    • CVE-2025-55184
    • CVE-2025-67779
    • CVSS: 7.5
  • Medium Severity – Source Code Exposure
    • CVE-2025-55183
    • CVSS: 5.3

⚠️ Impact

Denial of Service (High):
A specially crafted HTTP request sent to a Server Functions endpoint can trigger an infinite deserialization loop, causing:

  • Server hang
  • CPU exhaustion
  • Service unavailability

Even applications not explicitly using Server Functions may be vulnerable if React Server Components are enabled.

Source Code Exposure (Medium):
Attackers may coerce a vulnerable Server Function into returning its own source code, potentially leaking:

  • Internal logic
  • Secrets or API keys
  • Sensitive backend workflows

📦 Affected packages & versions

The vulnerabilities affect the same packages and versions as CVE-2025-55182, including:

Vulnerable versions:
19.0.0 – 19.0.2
19.1.0 – 19.1.2
19.2.0 – 19.2.2

Packages:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

✅ Fixed versions (upgrade immediately)

19.0.3
19.1.4
19.2.3

🧩 Affected frameworks & bundlers

The following ecosystems may be impacted due to dependencies:

  • Next.js
  • React Router
  • Waku
  • @parcel/rsc
  • @vite/rsc-plugin
  • rwsdk

🛡️ Additional notes

  • Apps not using a server or not using React Server Components are not affected
  • Temporary hosting-provider mitigations exist — do not rely on them
  • React Native users not using monorepos are generally unaffected
  • Monorepo React Native users should update only the impacted server packages

🔑 Key takeaway

Even without RCE, DoS, and source leakage vulnerabilities can have a serious production impact. React Server Components remain a high-risk attack surface and should be closely monitored.

CATEGORIES:

EN|News|Security

Tags:

No tags
Previous
Next

Comments are closed

© 2025 Alcaeus Services. All rights reserved.