New React Server vulnerabilities reported, enable Denial-of-Service attacks and source code exposure

Security researchers have discovered three additional vulnerabilities in React Server Components while testing the effectiveness of patches released for the critical React2Shell vulnerability reported just one week earlier. 

The React Team announced on December 11, 2025, that these newly identified flaws do not allow for remote code execution, and the patch for React2Shell remains effective at mitigating the RCE exploit. 

Vulnerabilities summary:

• CVE-2025-55184 and CVE-2025-67779 (CVSS score 7.5) denial-of-service vulnerabilities that can be triggered by malicious HTTP requests to any Server Functions endpoint. The requests, when deserialized by React, trigger an infinite loop that hangs the server process and consumes CPU resources. Applications are vulnerable even if they do not implement any React Server Function endpoints, as long as they support React Server Components. The original fix addressing CVE-2025-55184 was incomplete, which left versions 19.0.2, 19.1.3, and 19.2.2 vulnerable and caused the filing of CVE-2025-67779 to patch the additional cases discovered in these supposedly patched versions.
• CVE-2025-55183 (CVSS score 5.3), source code exposure. Malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function that explicitly or implicitly exposes a stringified argument, such as when creating database connections with hardcoded credentials or returning messages that include user-supplied parameters. When exploited, attackers may be able to leak sensitive information including hardcoded secrets embedded in the server function source code. Runtime secrets stored in environment variables (such as process.env.SECRET) are not affected. 

The vulnerabilities affect the same packages and versions as the earlier CVE-2025-55182 (React2Shell) in 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2 of three critical packages: 

• react-server-dom-webpack,
• react-server-dom-parcel,
• react-server-dom-turbopack. 

Fixes have been backported to versions 19.0.3, 19.1.4, and 19.2.3, and organizations using any of the affected packages should upgrade. Several React frameworks and bundlers that depended on, had peer dependencies for, or included the vulnerable React packages are also affected, including Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk. 

Applications whose React code does not use a server or do not use frameworks, bundlers, or bundler plugins that support React Server Components are not affected by these vulnerabilities.