{"id":9147,"date":"2025-12-12T10:04:04","date_gmt":"2025-12-12T10:04:04","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/12\/new-vulnerabilities-in-react-server-components-allow-dos-attacks-and-source-code-leaks\/"},"modified":"2025-12-12T10:04:04","modified_gmt":"2025-12-12T10:04:04","slug":"new-vulnerabilities-in-react-server-components-allow-dos-attacks-and-source-code-leaks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/12\/new-vulnerabilities-in-react-server-components-allow-dos-attacks-and-source-code-leaks\/","title":{"rendered":"New Vulnerabilities in React Server Components Allow DoS Attacks and Source Code Leaks"},"content":{"rendered":"

New Vulnerabilities in React Server Components Allow DoS Attacks and Source Code Leaks
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Less than a week after addressing a critical Remote Code Execution (RCE) vulnerability, the React team has disclosed three additional security flaws affecting React Server Components (RSC).<\/p>\n

Security researchers discovered these new issues while attempting to bypass the mitigations for the previous \u201cReact2Shell<\/a>\u201d exploit.<\/p>\n

While the original RCE patch remains effective, the newly discovered vulnerabilities introduce risks regarding Denial-of-Service (DoS) and the unauthorized exposure of server-side source code.<\/p>\n

The React team emphasizes that previous updates (versions 19.0.2, 19.1.3, and 19.2.2) contained an incomplete fix, necessitating an immediate second upgrade.<\/p>\n

The most severe of the new flaws (rated High Severity) involves a Denial-of-Service<\/a> vector. Researchers found that a malicious HTTP request sent to a Server Functions endpoint can trigger an infinite loop during React\u2019s deserialization process.<\/p>\n

This causes the server process to hang and consumes available CPU resources, effectively taking the application offline.<\/p>\n

A separate Medium Severity issue allows attackers to manipulate HTTP requests to leak the source code of Server Functions. While runtime secrets (like environment variables) remain secure, any hardcoded secrets or logic within the function could be exposed.<\/p>\n

The vulnerabilities are tracked under the following identifiers:<\/p>\n

\n\n\n\n\n\n\n\n
CVE ID<\/th>\nVulnerability Type<\/th>\nSeverity<\/th>\nCVSS Score<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-55184<\/strong><\/td>\nDenial of Service<\/td>\nHigh<\/td>\n7.5<\/td>\n<\/tr>\n
CVE-2025-67779<\/strong><\/td>\nDenial of Service (Patch Bypass)<\/td>\nHigh<\/td>\n7.5<\/td>\n<\/tr>\n
CVE-2025-55183<\/strong><\/td>\nSource Code Exposure<\/td>\nMedium<\/td>\n5.3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Affected Versions<\/strong><\/h2>\n

These vulnerabilities affect the react-server-dom-webpack<\/em>, react-server-dom-parcel<\/em>, and react-server-dom-turbopack<\/em> packages. Users of frameworks such as Next.js, Waku, and React Router are likely impacted.<\/p>\n

The initial patches released<\/a> earlier this week were incomplete. If you are currently running versions 19.0.2, 19.1.3, or 19.2.2, you remain vulnerable to the DoS exploit (CVE-2025-67779).<\/p>\n

Developers must upgrade to the following \u201csafe\u201d versions immediately:<\/p>\n