React RSC Bugs Spark DoS Risks and Code Leak Threats

React has shipped fixes for new React Server Components vulnerabilities that can trigger denial-of-service or expose server function source code. The issues surfaced as researchers probed workarounds to the earlier critical RSC bug CVE-2025-55182, which has been exploited in the wild.

Key vulnerabilities

• CVE-2025-55184 (CVSS 7.5): Pre-auth DoS via unsafe deserialization of HTTP payloads to Server Function endpoints, causing an infinite loop that hangs the server and blocks future requests.
• CVE-2025-67779 (CVSS 7.5): Incomplete fix for CVE-2025-55184 with the same DoS impact.
• CVE-2025-55183 (CVSS 5.3): Information leak that can return the source code of any Server Function when a specially crafted request hits a vulnerable Server Function. Exploitation requires a Server Function that explicitly or implicitly exposes an argument converted to a string.

Affected packages and versions
Applicable to react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack:

• CVE-2025-55184 and CVE-2025-55183: 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
• CVE-2025-67779: 19.0.2, 19.1.3, 19.2.2

What to do

• Update immediately to 19.0.3, 19.1.4, or 19.2.3, especially given active exploration of CVE-2025-55182.

Credits

• DoS reports: RyotaK and Shinsaku Nomura (Meta Bug Bounty)
• Info leak report: Andrew MacPherson

Why it matters
Following critical disclosures, researchers commonly test variant exploit paths to bypass initial fixes. While additional disclosures can be frustrating, they reflect a healthy response cycle and lead to stronger hardening over time.

Source: The Hacker News