Denial of service and source code exposure in React Server Components
2 days ago
- #Vulnerabilities
- #React
- #Security
- Two new vulnerabilities in React Server Components: Denial of Service (High Severity, CVE-2025-55184) and Source Code Exposure (Medium Severity, CVE-2025-55183).
- Patches are available in versions 19.0.2, 19.1.3, and 19.2.2. Immediate upgrade recommended.
- Affected frameworks and bundlers include next, react-router, waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk.
- Denial of Service vulnerability allows malicious HTTP requests to cause infinite loops, hanging server processes.
- Source Code Exposure vulnerability may leak server function source code if stringified arguments are exposed.
- React Native users not using monorepos or react-dom are unaffected but should update impacted packages if installed.
- Hosting providers have temporary mitigations, but updating packages is still required.
- Timeline of vulnerability discovery, reporting, and patching from December 3rd to December 11th.
- Acknowledgments to security researchers Andrew MacPherson and RyotaK for reporting the vulnerabilities.