top of page
perceptive_background_267k.jpg

New DoS and source code exposure bugs in React Server Components and Next.js: what’s affected and how to update safely.

Published:

12 december 2025 om 16:00:11

Alert date:

12 december 2025 om 18:01:26

Source:

socket.dev

Click to open the original link from this advisory

Security researchers discovered three new vulnerabilities in React Server Components following the React2Shell disclosure. CVE-2025-55184 and CVE-2025-67779 are DoS vulnerabilities with CVSS 7.5 that cause infinite loops during deserialization. CVE-2025-55183 is a source code exposure vulnerability with CVSS 5.3 that can reveal compiled source code through crafted requests. These affect RSC implementations in frameworks like Next.js. While they don't enable RCE like React2Shell, they require immediate patching. Developers who already updated for React2Shell need to update again.

Technical details

Two new vulnerabilities discovered in React Server Components (RSC): 1) Denial of Service - malicious requests to RSC endpoints can trigger infinite loops during deserialization, causing server processes to hang and consume CPU. 2) Source Code Exposure - crafted requests to vulnerable Server Functions may cause servers to return compiled source code, revealing business logic or hardcoded secrets. These vulnerabilities affect RSC implementations but do not enable remote code execution.

Mitigation steps:

1) Review Socket scans to identify projects using vulnerable RSC package versions or frameworks. 2) Upgrade immediately to patched versions (19.0.3, 19.1.4, 19.2.3) or framework-provided patches. 3) Deploy updated builds as soon as possible. 4) Rotate any hardcoded secrets that may have been exposed in Server Function source code. Teams that updated to previous 'safe' versions (19.0.2, 19.1.3, 19.2.2) must upgrade again.

Affected products:

react-server-dom-webpack (versions 19.0.0
19.0.1
19.1.0
19.1.1
19.1.2
19.2.0
19.2.1
and for DoS: 19.0.2
19.1.3
19.2.2)
react-server-dom-parcel (versions 19.0.0
19.0.1
19.1.0
19.1.1
19.1.2
19.2.0
19.2.1
and for DoS: 19.0.2
19.1.3
19.2.2)
react-server-dom-turbopack (versions 19.0.0
19.0.1
19.1.0
19.1.1
19.1.2
19.2.0
19.2.1
and for DoS: 19.0.2
19.1.3
19.2.2)
Next.js (versions 13.x-16.x)
Vite RSC plugin
Parcel RSC
React Router's RSC preview
Waku
RedwoodSDK

Related links:

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
https://socket.dev/blog/critical-security-vulnerability-in-react-server-components
https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183
https://socket.dev/vuln/ghsa/GHSA-2m3v-v2m8-q956

Related CVE's:

Related threat actors:

IOC's:

Malicious requests to RSC endpoints causing infinite loops, Crafted requests to Server Functions returning source code, Server processes hanging and consuming high CPU

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page