The React workforce has launched fixes for 2 new forms of flaws in React Server Elements (RSC) that, if efficiently exploited, may lead to denial-of-service (DoS) or supply code publicity.
The workforce mentioned the problems have been discovered by the security neighborhood whereas making an attempt to use the patches launched for CVE-2025-55182 (CVSS rating: 10.0), a essential bug in RSC that has since been weaponized within the wild.
The three vulnerabilities are listed beneath –
- CVE-2025-55184 (CVSS rating: 7.5) – A pre-authentication denial of service vulnerability arising from unsafe deserialization of payloads from HTTP requests to Server Operate endpoints, triggering an infinite loop that hangs the server course of and should stop future HTTP requests from being served
- CVE-2025-67779 (CVSS rating: 7.5) – An incomplete repair for CVE-2025-55184 that has the identical influence
- CVE-2025-55183 (CVSS rating: 5.3) – An info leak vulnerability which will trigger a particularly crafted HTTP request despatched to a susceptible Server Operate to return the supply code of any Server Operate
Nevertheless, profitable exploitation of CVE-2025-55183 requires the existence of a Server Operate that explicitly or implicitly exposes an argument that has been transformed right into a string format.
The failings affecting the next variations of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack –
- CVE-2025-55184 and CVE-2025-55183 – 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1
- CVE-2025-67779 – 19.0.2, 19.1.3 and 19.2.2
Safety researcher RyotaK and Shinsaku Nomura have been credited with reporting the 2 DoS bugs to the Meta Bug Bounty program, whereas Andrew MacPherson has been acknowledged for reporting the knowledge leak flaw.
Customers are suggested to replace to variations 19.0.3, 19.1.4, and 19.2.3 as quickly as doable, notably in gentle of energetic exploration of CVE-2025-55182.
“When a essential vulnerability is disclosed, researchers scrutinize adjoining code paths on the lookout for variant exploit methods to check whether or not the preliminary mitigation might be bypassed,” the React workforce mentioned. “This sample exhibits up throughout the business, not simply in JavaScript. Further disclosures might be irritating, however they’re usually an indication of a wholesome response cycle.”
