Full Report
The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in
Analysis Summary
# Vulnerability: New DoS and Source Code Exposure Flaws in React Server Components (RSC)
## CVE Details
- CVE ID: CVE-2025-55184, CVE-2025-67779, CVE-2025-55183
- CVSS Score: 7.5 (High) for CVE-2025-55184 and CVE-2025-67779; 5.3 (Medium) for CVE-2025-55183
- CWE: Unsafe Deserialization (Implied for DoS), Information Exposure (Implied for Code Leak)
## Affected Systems
- Products: Packages within React Server Components (RSC): `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`.
- Versions:
- CVE-2025-55184 & CVE-2025-55183: 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1
- CVE-2025-67779: 19.0.2, 19.1.3, and 19.2.2
- Configurations: Exploitation of CVE-2025-55183 requires the existence of a Server Function that explicitly or implicitly exposes an argument converted to a string format.
## Vulnerability Description
The React team patched three vulnerabilities in RSC derived from security research following the fixes for the critical CVE-2025-55182:
1. **CVE-2025-55184 (DoS):** A pre-authentication denial-of-service vulnerability caused by unsafe deserialization of payloads received via HTTP requests directed at Server Function endpoints. This can trigger an infinite loop, causing the server process to hang and potentially blocking future HTTP requests.
2. **CVE-2025-67779 (Incomplete Fix DoS):** An incomplete mitigation for CVE-2025-55184, resulting in the same denial-of-service impact.
3. **CVE-2025-55183 (Information Leak):** An information leak vulnerability where a specifically crafted HTTP request to a vulnerable Server Function can cause the server to return the source code of *any* Server Function available in that context.
## Exploitation
- Status: The vulnerabilities were discovered by security researchers while attempting to exploit related patches (specifically for CVE-2025-55182, which has been weaponized). It is reasonable to assume active exploration or proof-of-concept code exists, especially for the DoS variants, given the context of rapid discovery following a critical patch.
- Complexity: Low/Medium, as they involve pre-authentication network requests targeting publicly exposed Server Function endpoints.
- Attack Vector: Network (via crafted HTTP requests).
## Impact
- Confidentiality: Potential **High** impact due to source code exposure (CVE-2025-55183).
- Integrity: Low, though modification of server state is not detailed.
- Availability: **High** impact due to denial-of-service conditions (CVE-2025-55184 and CVE-2025-67779) leading to server process hangs.
## Remediation
### Patches
Users are strongly advised to upgrade immediately, especially given the context of active exploration of prior issues, to the following patched versions:
- **19.0.3**
- **19.1.4**
- **19.2.3**
### Workarounds
No specific workarounds were detailed in the summary, but restricting access to Server Function endpoints or implementing strict input sanitization on HTTP request bodies targeting these functions could serve as a temporary measure until patching is complete.
## Detection
- **Indicators of Compromise (IoCs):** Look for unusual resource utilization (CPU spikes causing process hangs) coinciding with incoming HTTP requests targeting Server Function endpoints, particularly requests containing unexpected or malformed serialized data. For the information leak, monitor HTTP responses originating from Server Functions for unexpected large or source-code-like payloads.
- **Detection Methods and Tools:** Application monitoring tools capable of deep packet inspection or tracing of request payloads to RSC Server Components may help identify malicious traffic patterns or resulting observable server instability.
## References
- Vendor advisory (React team blog discussing fixes): hxxps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
- Context on related CVE-2025-55182 exploitation: hxxps://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html
- CVE records: CVE-2025-55184, CVE-2025-67779, CVE-2025-55183