Just last week, the React team announced critical security issues with React Server Components (RSC). These vulnerabilities may lead to denial of service (DoS) of system attacks and disclosure of any private source code. Two recently discovered vulnerabilities, CVE-2025-55184 and CVE-2025-67779, both assigned a CVSS rating of 7.5, indicating high severity. Specifically, users are urged to upgrade as soon as possible to the most recent versions, 19.0.3, 19.1.4, and 19.2.3, to avoid being vulnerable to these risks.
CVE-2025-55184 is a pre-authentication denial of service vulnerability present in the X3~Q5Yk command. This happens because Server Functions deserialize unsafe payloads from HTTP requests to their endpoints. As a result, this flaw causes an infinite loop which hangs the server process. As a result, no new HTTP requests can be handled in subsequent runs. The ramifications of such a vulnerability would have the potential to wreak havoc with any service dependent on RSC.
Incomplete Fixes Lead to Additional Vulnerability
The second vulnerability, CVE-2025-67779, is described as an incomplete fix for CVE-2025-55184. It is just as impactful as its predecessor in that it too has a CVSS score of 7.5. This difficult reality illustrates the challenges of prioritizing and remediating urgent vulnerabilities in software products.
The React team acknowledged the challenges in patching such vulnerabilities, stating, “When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.” This assertion highlights the constant vigilance and improvement needed to keep our systems secure and functioning.
Source Code Exposure Risk
In addition to the denial of service vulnerabilities, the React team discovered a security vulnerability that they have identified as CVE-2025-55183. This specific vulnerability has a CVSS score of only 5.3. This vulnerability represents especially critical danger of information leakage. It provides for an attacker to send a specially crafted HTTP request to a vulnerable Server Function, which can then leak the source code of any Server Function. Successful exploitation only requires that the Server Function clearly or indirectly discloses an argument that is ultimately turned into string format.
For developers, exposing the source code can be a significant blow. Orgs that have built their apps on top of RSC should be particularly careful. As our software systems grow in complexity and detail, protecting them from these types of vulnerabilities is more important than ever.
Urgent Call for Updates
It was recently reported that the React team had found multiple vulnerabilities. As you can imagine, they are calling on all users to update their systems without delay. Versions 19.0.3, 19.1.4, and 19.2.3 include important fixes intended to prevent these vulnerabilities and protect the security of our community.
Remain on guard and ahead of cybercriminals by keeping your software up to date. In doing so, you can lower the risks associated with vulnerabilities and develop a more secure foundation for your applications.