React Issues Additional Security Updates for React Server Components

Successful exploitation could allow an attacker to expose source code or lead to a denial of service condition

Threat ID:: CC-4728
Threat Severity:: Medium
Published:: 12 December 2025 1:22 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Successful exploitation could allow an attacker to expose source code or lead to a denial of service condition

Affected platforms

The following platforms are known to be affected:

React

React Server Components:

react-server-dom-webpack: versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2
react-server-dom-parcel: versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2
react-server-dom-turbopack: versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2

If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

Threat details

Introduction

React has released security updates addressing 3 vulnerabilities in React Server Components.

CVE-2025-67779 - 'Denial of Service' vulnerability with a CVSSv3 score of 7.5.
CVE-2025-55184 - 'Denial of Service' vulnerability with a CVSSv3 score of 7.5.
CVE-2025-55183 - 'Source Code Exposure' vulnerability with a CVSSv3 score of 5.3.

The initial fix for CVE-2025-55184 was incomplete. A complete fix has been issued under CVE-2025-67779. Organisations that have previously upgraded must upgrade again to the latest patched versions.

Remediation advice

Affected organisations are encouraged to review React's security advisory and apply the relevant updates as soon as possible.

Definitive source of threat updates

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

CVE Vulnerabilities

Status Published

CVE-2025-67779

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Status Published

CVE-2025-55184

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Status Published

CVE-2025-55183

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Last edited: 12 December 2025 1:22 pm