New React RSC Vulnerabilities Enable DoS and Source Code Exposure

Du'aine Davis

Observed in the wild

• Two new vulnerabilities in React Server Components (RSC) were disclosed on 12 December 2025, following active exploitation of CVE-2025-55182. The flaws include CVE-2025-55184 and CVE-2025-67779 (DoS) and CVE-2025-55183 (information leak), impacting versions 19.0.0–19.2.2 of react-server-dom packages. Attackers can cause server hangs or expose source code via crafted HTTP requests.
• Exploitation occurs through unsafe deserialization of HTTP payloads to Server Function endpoints, triggering infinite loops (DoS) or leaking source code when arguments are converted to strings. These issues were discovered by security researchers during bug bounty investigations, highlighting variant exploit techniques after initial patch scrutiny.
• Organisations should urgently update to patched versions 19.0.3, 19.1.4, and 19.2.3. Monitor for abnormal HTTP request patterns targeting Server Functions and apply Microsoft Defender for Endpoint behavioural detection for suspicious deserialization or infinite loop activity. Implement strict input validation and review exposed arguments in Server Functions to prevent inadvertent data leaks.

CVE‑2025‑55184 (DoS)– CVSS 3.1: 7.5 (High); nvd.nist.gov
CVE‑2025‑67779 (Incomplete DoS fix) – CVSS 3.1: 7.5 (High); nvd.nist.gov
CVE‑2025‑55183 (Source‑code leak) – CVSS 3.1: 5.3 (Medium); nvd.nist.gov
Denial of Service and Source Code Exposure in React Server Components – React