The React development team has released security updates addressing two newly identified classes of vulnerabilities in React Server Components (RSC). If exploited, these weaknesses could allow attackers to trigger denial of service conditions or expose application source code, expanding the risk surface for environments already under pressure from recent React-related flaws.
According to the React team, the issues were uncovered by members of the security research community while analyzing and attempting to bypass mitigations introduced for CVE-2025-55182. That earlier vulnerability, which carries a CVSS score of 10.0, has already been actively exploited in real-world attacks, prompting heightened scrutiny of adjacent code paths.
In total, three related vulnerabilities have now been documented.
CVE-2025-55184, with a CVSS score of 7.5, is a pre-authentication denial of service flaw. It stems from unsafe deserialization of HTTP request payloads sent to Server Function endpoints. A successful attack can trigger an infinite loop, causing the server process to hang and potentially blocking all subsequent HTTP requests.
CVE-2025-67779, also rated at 7.5, represents an incomplete fix for CVE-2025-55184. It carries the same impact and can similarly be abused to disrupt service availability.
CVE-2025-55183, assigned a CVSS score of 5.3, is an information disclosure issue. Under specific conditions, a carefully crafted HTTP request can force a vulnerable Server Function to return the source code of any Server Function. Exploitation of this flaw depends on the presence of a Server Function that directly or indirectly exposes an argument that has been converted into a string.
The affected components include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack across multiple releases. Versions impacted by CVE-2025-55184 and CVE-2025-55183 include 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1. CVE-2025-67779 affects versions 19.0.2, 19.1.3, and 19.2.2.
Security researchers RyotaK and Shinsaku Nomura were credited with responsibly reporting the two denial of service vulnerabilities through the Meta Bug Bounty. The source code exposure issue was reported by Andrew MacPherson.
Users and organizations are strongly advised to upgrade to the fixed releases, specifically versions 19.0.3, 19.1.4, and 19.2.3. The guidance is particularly urgent given the ongoing active exploitation of CVE-2025-55182 in the wild.
Commenting on the situation, the React team noted that once a critical flaw becomes public, researchers naturally probe related functionality to test whether initial mitigations can be bypassed. While follow-on disclosures may be frustrating for defenders, the team emphasized that this pattern reflects a healthy and proactive security response cycle seen across the wider software industry.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
