The React team has issued critical security patches addressing two new vulnerabilities discovered in React Server Components (RSC). These newly identified flaws, stemming from ongoing security research following the patching of a severe earlier vulnerability (CVE-2025-55182), could potentially lead to denial-of-service (DoS) attacks or unauthorized source code exposure.
These disclosures highlight the dynamic nature of software security, where the patching of one vulnerability can often uncover related weaknesses. Developers and users of affected React versions are urged to implement the provided updates to safeguard their applications against these emerging threats.
React Server Components Address New Flaws, Enhancing Software Security
Two distinct denial-of-service vulnerabilities and one information leak flaw have been detailed by the React development team. These issues were brought to light by security researchers who were actively probing the codebase after the recent patching of CVE-2025-55182, a critical Remote Code Execution vulnerability with a CVSS score of 10.0, which had already seen active exploitation.
The critical nature of these new findings underscores the importance of continuous security monitoring and rapid response within the open-source community. The React team emphasized that such detailed scrutiny of code following a major vulnerability disclosure is a common and healthy part of the security lifecycle, often revealing further areas for improvement.
Specific Vulnerabilities and Their Impact
Among the newly disclosed vulnerabilities is **CVE-2025-55184**, a pre-authentication denial-of-service flaw with a CVSS score of 7.5. This vulnerability arises from the unsafe deserialization of specific HTTP request payloads directed at Server Function endpoints. Successful exploitation could trigger an infinite loop, thereby halting the server process and potentially preventing all subsequent HTTP requests from being processed.
Additionally, **CVE-2025-67779**, also carrying a CVSS score of 7.5, is described as an incomplete fix for CVE-2025-55184, exhibiting the same denial-of-service impact. This suggests that the initial patch for the earlier DoS vulnerability did not fully address the underlying deserialization issue, leaving systems exposed.
A third vulnerability, **CVE-2025-55183**, rated with a CVSS score of 5.3, presents an information leak risk. A specifically crafted HTTP request sent to a vulnerable Server Function could potentially return the source code of that function. However, the exploitation of this information leak requires the presence of a Server Function that exposes an argument that has been explicitly or implicitly converted into a string format.
Affected React Versions and Mitigation Strategies
These vulnerabilities impact several versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Specifically, CVE-2025-55184 and CVE-2025-55183 affect versions 19.0.0 through 19.2.1. Meanwhile, CVE-2025-67779 pertains to versions 19.0.2, 19.1.3, and 19.2.2.
The React team has provided mitigation advice, strongly recommending users upgrade to the latest patched versions. For CVE-2025-55184 and CVE-2025-55183, the recommended update is to versions 19.0.3, 19.1.4, and 19.2.3 respectively. These updates are crucial, especially given the prior active exploitation of a critical RSC vulnerability.
Security researchers RyotaK and Shinsaku Nomura were recognized for reporting the two denial-of-service bugs through Meta’s Bug Bounty program. Andrew MacPherson is credited with identifying and reporting the information leak vulnerability. Their contributions highlight the collaborative effort within the security community to improve the robustness of widely used software frameworks.
Looking ahead, the React team’s proactive response in addressing these newly identified flaws is expected to be followed by further community testing and potential discovery of related issues. Developers are advised to monitor official React security advisories for any subsequent updates or recommendations to ensure their applications remain secure. The ongoing scrutiny suggests a commitment to enhancing the overall software security of the React ecosystem.