The React team has released fixes for two new types of defects in React Server Components (RSC). Successful exploitation may lead to a denial of service (DoS) or source code disclosure.
According to the team, this issue was discovered by the security community while attempting to exploit a patch released for CVE-2025-55182 (CVSS score: 10.0). CVE-2025-55182 (CVSS score: 10.0) is a critical bug in RSC that has since been weaponized in the wild.
The three vulnerabilities are listed below.
CVE-2025-55184 (CVSS Score: 7.5) – Pre-authentication denial of service vulnerability due to insecure deserialization of the payload from an HTTP request to a server function endpoint. This can cause an infinite loop and hang the server process, preventing it from processing future HTTP requests. CVE-2025-67779 (CVSS Score: 7.5) – Incomplete fix with same impact CVE-2025-55184 CVE-2025-55183 (CVSS Score: 5.3) – Information disclosure vulnerability where a specially crafted HTTP request is sent to a vulnerable server function, potentially returning the source code of an arbitrary server function.
However, successful exploitation of CVE-2025-55183 requires the presence of a server function that explicitly or implicitly exposes its arguments to string format.
Defects affecting the following versions of act-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack –
CVE-2025-55184 and CVE-2025-55183 – 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 CVE-2025-67779 – 19.0.2, 19.1.3 and 19.2.2
Security researchers RyutaK and Shinsaku Nomura are credited with reporting two DoS bugs to the Meta Bug Bounty program, and Andrew MacPherson is credited with reporting the information disclosure flaw.
We recommend that users update to versions 19.0.3, 19.1.4, and 19.2.3 as soon as possible, especially in light of the active investigation of CVE-2025-55182.
“When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths, looking for variant exploit techniques to test whether initial mitigations can be circumvented,” the React team said. “This pattern is seen across industries, not just JavaScript. Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.”
Source link
