Security researchers have disclosed two new vulnerabilities in React Server Components that expose servers to Denial-of-Service (DoS) attacks and to source code leaks.
These flaws were discovered while experts were analyzing the patches for last week’s critical “React2Shell” vulnerability.
While these new issues do not allow for Remote Code Execution (RCE), they still pose significant risks to application stability and data privacy.
Denial of Service and Source Code Risks
The most severe of the new flaws involves a Denial-of-Service vulnerability rated High severity.
Attackers can exploit this by sending a specially crafted HTTP request to a server endpoint.
When React processes this malicious request, it triggers an infinite loop that hangs the server process and consumes excessive CPU resources.
This can crash the server or make it entirely unavailable to legitimate users.
The second vulnerability allows for the unauthorized exposure of source code.
| CVE ID | Severity | CVSS | Vulnerability Type |
|---|---|---|---|
| CVE-2025-55184 | High | 7.5 | Denial of Service (DoS) |
| CVE-2025-67779 | High | 7.5 | Denial of Service (DoS) |
| CVE-2025-55183 | Medium | 5.3 | Source Code Exposure |
A researcher found that under specific conditions, a malicious request could force a Server Function to return its own source code as a string.
This could leak sensitive logic or internal database keys embedded within the function code.
The React team has warned that updates released earlier this week (versions 19.0.2, 19.1.3, and 19.2.2) are incomplete and remain vulnerable to these new exploits.
Developers who recently updated their systems must update again immediately to the newly released fixed versions.
The vulnerabilities affect widely used packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
Popular frameworks such as Next.js, React Router, and Waku also rely on these components and are affected by them.
React Native users employing these server packages in a monorepo setup should update the specific server packages without changing their core React version to avoid mismatches.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.