|
| 1 | +--- |
| 2 | +title: "Denial of Service and Source Code Exposure in React Server Components" |
| 3 | +author: The React Team |
| 4 | +date: 2025/12/11 |
| 5 | +description: Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. High vulnerability Denial of Service (CVE-2025-55184), and medium vulnerability Source Code Exposure (CVE-2025-55183) |
| 6 | + |
| 7 | + |
| 8 | +--- |
| 9 | + |
| 10 | +December 11, 2025 by [The React Team](/community/team) |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +<Intro> |
| 15 | + |
| 16 | +Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. |
| 17 | + |
| 18 | +**These new vulnerabilities do not allow for Remote Code Execution.** The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit. |
| 19 | + |
| 20 | +</Intro> |
| 21 | + |
| 22 | +--- |
| 23 | + |
| 24 | +The new vulnerabilities are disclosed as: |
| 25 | + |
| 26 | +- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5) |
| 27 | +- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) |
| 28 | + |
| 29 | +We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities. |
| 30 | + |
| 31 | +<Note> |
| 32 | + |
| 33 | +#### The patches published earlier are vulnerable. {/*the-patches-published-earlier-are-vulnerable*/} |
| 34 | + |
| 35 | +If you already updated for the Critical Security Vulnerability last week, you will need to update again. |
| 36 | + |
| 37 | +If you updated to 19.0.2, 19.1.3, and 19.2.2, [these are incomplete](#additional-fix-published) and you will need to update again. |
| 38 | + |
| 39 | +Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. |
| 40 | + |
| 41 | +</Note> |
| 42 | + |
| 43 | +Further details of these vulnerabilities will be provided after the rollout of the fixes are complete. |
| 44 | + |
| 45 | +## Immediate Action Required {/*immediate-action-required*/} |
| 46 | + |
| 47 | +These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components). |
| 48 | + |
| 49 | +This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of: |
| 50 | + |
| 51 | +* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) |
| 52 | +* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) |
| 53 | +* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) |
| 54 | + |
| 55 | +Fixes were backported to versions 19.0.3, 19.1.4, and 19.2.3. If you are using any of the above packages please upgrade to any of the fixed versions immediately. |
| 56 | + |
| 57 | +As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. |
| 58 | + |
| 59 | +<Note> |
| 60 | + |
| 61 | +#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/} |
| 62 | + |
| 63 | +When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed. |
| 64 | + |
| 65 | +This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix. |
| 66 | + |
| 67 | +Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle. |
| 68 | + |
| 69 | +</Note> |
| 70 | + |
| 71 | +### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/} |
| 72 | + |
| 73 | +Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vite/rsc-plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). |
| 74 | + |
| 75 | +Please see [the instructions in the previous post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. |
| 76 | + |
| 77 | +### Hosting Provider Mitigations {/*hosting-provider-mitigations*/} |
| 78 | + |
| 79 | +As before, we have worked with a number of hosting providers to apply temporary mitigations. |
| 80 | + |
| 81 | +You should not depend on these to secure your app, and still update immediately. |
| 82 | + |
| 83 | +### React Native {/*react-native*/} |
| 84 | + |
| 85 | +For React Native users not using a monorepo or `react-dom`, your `react` version should be pinned in your `package.json`, and there are no additional steps needed. |
| 86 | + |
| 87 | +If you are using React Native in a monorepo, you should update _only_ the impacted packages if they are installed: |
| 88 | + |
| 89 | +- `react-server-dom-webpack` |
| 90 | +- `react-server-dom-parcel` |
| 91 | +- `react-server-dom-turbopack` |
| 92 | + |
| 93 | +This is required to mitigate the security advisories, but you do not need to update `react` and `react-dom` so this will not cause the version mismatch error in React Native. |
| 94 | + |
| 95 | +See [this issue](https://github.com/facebook/react-native/issues/54772#issuecomment-3617929832) for more information. |
| 96 | + |
| 97 | +## High Severity: Denial of Service {/*high-severity-denial-of-service*/} |
| 98 | + |
| 99 | +**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) |
| 100 | +**Base Score:** 7.5 (High) |
| 101 | + |
| 102 | +Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. |
| 103 | + |
| 104 | +This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment. |
| 105 | + |
| 106 | +The patches published today mitigate by preventing the infinite loop. |
| 107 | + |
| 108 | +<Note> |
| 109 | + |
| 110 | +#### Additional fix published {/*additional-fix-published*/} |
| 111 | + |
| 112 | +The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete. |
| 113 | + |
| 114 | +This left versions 19.0.2, 19.1.3, 19.2.2 vulnerable. Versions 19.0.3, 19.1.4, 19.2.3 are safe. |
| 115 | + |
| 116 | +We've fixed the additional cases and filed [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) for the vulnerable versions. |
| 117 | + |
| 118 | +</Note> |
| 119 | + |
| 120 | +## Medium Severity: Source Code Exposure {/*low-severity-source-code-exposure*/} |
| 121 | + |
| 122 | +**CVE:** [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) |
| 123 | +**Base Score**: 5.3 (Medium) |
| 124 | + |
| 125 | +A security researcher has discovered that a malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument: |
| 126 | + |
| 127 | +```javascript |
| 128 | +'use server'; |
| 129 | + |
| 130 | +export async function serverFunction(name) { |
| 131 | + const conn = db.createConnection('SECRET KEY'); |
| 132 | + const user = await conn.createUser(name); // implicitly stringified, leaked in db |
| 133 | + |
| 134 | + return { |
| 135 | + id: user.id, |
| 136 | + message: `Hello, ${name}!` // explicitly stringified, leaked in reply |
| 137 | + }} |
| 138 | +``` |
| 139 | + |
| 140 | +An attacker may be able to leak the following: |
| 141 | + |
| 142 | +```txt |
| 143 | +0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"} |
| 144 | +1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"} |
| 145 | +``` |
| 146 | + |
| 147 | +The patches published today prevent stringifying the Server Function source code. |
| 148 | + |
| 149 | +<Note> |
| 150 | + |
| 151 | +#### Only secrets in source code may be exposed. {/*only-secrets-in-source-code-may-be-exposed*/} |
| 152 | + |
| 153 | +Secrets hardcoded in source code may be exposed, but runtime secrets such as `process.env.SECRET` are not affected. |
| 154 | + |
| 155 | +The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides. |
| 156 | + |
| 157 | +Always verify against production bundles. |
| 158 | + |
| 159 | +</Note> |
| 160 | + |
| 161 | +--- |
| 162 | + |
| 163 | +## Timeline {/*timeline*/} |
| 164 | +* **December 3rd**: Leak reported to Vercel and [Meta Bug Bounty](https://bugbounty.meta.com/) by [Andrew MacPherson](https://github.com/AndrewMohawk). |
| 165 | +* **December 4th**: Initial DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by [RyotaK](https://ryotak.net). |
| 166 | +* **December 6th**: Both issues confirmed by the React team, and the team began investigating. |
| 167 | +* **December 7th**: Initial fixes created and the React team began verifying and planning new patch. |
| 168 | +* **December 8th**: Affected hosting providers and open source projects notified. |
| 169 | +* **December 10th**: Hosting provider mitigations in place and patches verified. |
| 170 | +* **December 11th**: Additional DoS reported to [Meta Bug Bounty](https://bugbounty.meta.com/) by Shinsaku Nomura. |
| 171 | +* **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184). |
| 172 | +* **December 11th**: Missing DoS case found internally, patched and publicly disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779). |
| 173 | + |
| 174 | +--- |
| 175 | + |
| 176 | +## Attribution {/*attribution*/} |
| 177 | + |
| 178 | +Thank you to [Andrew MacPherson (AndrewMohawk)](https://github.com/AndrewMohawk) for reporting the Source Code Exposure, [RyotaK](https://ryotak.net) from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities. |
0 commit comments