Critical Vulnerabilities Uncovered in React Server Components: Immediate Action Required
The landscape of web development, heavily reliant on frameworks like React, demands constant vigilance against emerging security threats. Recent disclosures by the React team have brought to light a series of critical vulnerabilities within React Server Components (RSC), posing severe risks ranging from unauthenticated remote code execution (RCE) to denial-of-service (DoS) and sensitive source code exposure. These flaws underscore the dynamic nature of cybersecurity, where even patches for existing vulnerabilities can inadvertently reveal new attack vectors. Organizations leveraging React Server Components must prioritize immediate remediation to safeguard their applications and underlying infrastructure.
Security Impact Analysis
CVE-2025-55182: Unauthenticated Remote Code Execution (RCE)
Initially disclosed as "React2Shell," CVE-2025-55182 is a critical pre-authentication remote code execution vulnerability with a maximum CVSS score of 10.0. This flaw stems from insecure deserialization within the RSC architecture's "Flight" protocol, specifically in how React decodes payloads sent to React Server Function endpoints. An unauthenticated attacker can craft a malicious HTTP POST request to any Server Function endpoint, which, when deserialized by React, enables arbitrary code execution on the server.
The exploitation of CVE-2025-55182 is straightforward, with public proof-of-concept exploits available and active exploitation attempts observed in the wild. Successful exploitation can lead to full infrastructure compromise, including filesystem access, credential harvesting, and the installation of persistent access mechanisms. Post-exploitation activities have included scanning for vulnerable servers, reconnaissance, attempted theft of cloud credentials, installation of downloaders for attacker command and control (C2) infrastructure, and deployment of various malware such as Cobalt Strike, cryptomining software, interactive web shells, EtherRAT, Noodle RAT, SNOWLIGHT, and VShell Trojans. Cloud and container environments, including Kubernetes, have also been targeted with attempts to install Mirai loaders.
Affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Popular frameworks and bundlers that depend on or include these vulnerable packages are also impacted, notably Next.js (versions 15.x and 16.x), React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
The initial fix for CVE-2025-55182 was introduced in versions 19.0.1, 19.1.2, and 19.2.1. Temporary mitigations, such as disabling Server Functions or deploying Web Application Firewall (WAF) rules, were also recommended, with cloud providers like Cloudflare, Google Cloud Armor, Vercel, and Firebase Hosting implementing platform-level protections.
New Vulnerabilities: Denial of Service (DoS) and Source Code Exposure
Following the disclosure and patching efforts for CVE-2025-55182, security researchers, while scrutinizing the efficacy of the initial patches, uncovered two additional types of flaws in React Server Components. These new vulnerabilities, while not enabling RCE, still pose substantial risks to application stability, availability, and intellectual property.
CVE-2025-55184 and CVE-2025-67779: Denial of Service (DoS)
CVE-2025-55184 is a high-severity Denial-of-Service vulnerability with a CVSS score of 7.5. It arises from unsafe deserialization of payloads from HTTP requests to Server Function endpoints. Attackers can exploit this by sending a specially crafted HTTP request that, when processed by React, triggers an infinite loop within the server process. This loop consumes excessive CPU resources, causing the server to hang indefinitely and leading to a complete service outage. CVE-2025-67779 was subsequently assigned to an incomplete fix for CVE-2025-55184, indicating that earlier patches did not fully prevent DoS attacks for all payload types.
These DoS vulnerabilities affect versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Consequently, frameworks like Next.js (versions 13.x through 16.x), React Router, and Waku are also impacted.
CVE-2025-55183: Source Code Exposure
CVE-2025-55183 is an information leak vulnerability rated with a medium severity CVSS score of 5.3. Under specific conditions, a malicious HTTP request sent to a vulnerable Server Function can cause it to return its own source code as a text string rather than executing it. This requires the existence of a Server Function that explicitly or implicitly exposes an argument converted into a string format.
This vulnerability poses a significant privacy risk, potentially leaking sensitive business logic, proprietary algorithms, or even internal database keys and API secrets if they are hardcoded directly within the function code. Runtime secrets, such as process.env.SECRET, are not affected.
The affected packages and versions for source code exposure are the same as for the DoS vulnerabilities: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2.
Affected Systems vs. Mitigation Strategies
| Vulnerability | Affected Packages (Versions) | Affected Frameworks | Mitigation Strategy |
|---|---|---|---|
| CVE-2025-55182 (RCE) | react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0) | Next.js (15.x, 16.x), React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk | Upgrade to 19.0.1, 19.1.2, 19.2.1. Disable Server Functions or deploy WAF rules as temporary measures. |
| CVE-2025-55184 (DoS) & CVE-2025-67779 (Incomplete DoS Fix) | react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, 19.2.2) | Next.js (13.x-16.x), React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk | Upgrade to 19.0.3, 19.1.4, 19.2.3. |
| CVE-2025-55183 (Source Code Exposure) | react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, 19.2.2) | Next.js (13.x-16.x), React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk | Upgrade to 19.0.3, 19.1.4, 19.2.3. |
Expert Verdict
The recent cascade of vulnerabilities in React Server Components, particularly the critical CVE-2025-55182 and the subsequent DoS and source code exposure flaws, presents a severe and immediate threat to a significant portion of the web ecosystem. Given React's widespread adoption, affecting over 40% of the top 10,000 websites, the potential for widespread impact is immense. The active exploitation of CVE-2025-55182 in the wild, coupled with the ease of exploitation, necessitates an urgent and comprehensive response from all organizations utilizing React Server Components.
It is imperative that development and security teams prioritize immediate upgrades to the latest patched versions of affected React packages and frameworks. Merely applying the initial patches for CVE-2025-55182 is insufficient, as those versions remain vulnerable to the newly discovered DoS and source code exposure issues. Organizations must update to versions 19.0.3, 19.1.4, and 19.2.3 or later to fully mitigate these risks. Beyond patching, continuous monitoring for suspicious activity, robust incident response plans, and ongoing security assessments of server-side rendering environments are crucial to maintaining a strong security posture against evolving threats.