React Patches Two New Flaws Risking Server-Crashing DoS and Source Code Disclosure
Ddos 
The security saga surrounding React Server Components continues this week. Just days after the React team patched a critical remote code execution (RCE) flaw, security researchers digging into those very fixes have unearthed two additional vulnerabilities. While less catastrophic than their predecessor, these new flaws pose significant risks, ranging from server-crashing Denial of Service (DoS) attacks to sensitive source code exposure.
The most pressing issue, rated as High Severity (CVSS 7.5), involves a vulnerability that can bring a server to its knees. Tracked as CVE-2025-55184 and CVE-2025-67779, this flaw allows an attacker to trigger an infinite loop on the server by sending a specific malicious HTTP request.
The impact is immediate and resource-intensive. According to the advisory, the loop consumes the server’s CPU, effectively locking up resources .
Crucially, this vulnerability has a broad blast radius. It doesn’t require the application to be actively using specific server functions to be at risk. “Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components,” the report warns.
This flaw creates a dangerous vector for attackers looking to disrupt business operations. “This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment”.
The second vulnerability, CVE-2025-55183 (CVSS 5.3), is a Medium Severity issue that targets the confidentiality of the application’s code.
Researchers discovered that under specific conditions, a malicious request could trick a Server Function into returning its own source code to the attacker. “A security researcher has discovered that a malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function,” the advisory explains.
Exploitation isn’t automatic; it requires a specific coding pattern where a Server Function “explicitly or implicitly exposes a stringified argument” . However, if exploited, it could leak sensitive logic or internal database keys embedded within the function’s code.
The React Team explicitly confirmed that these new bugs do not re-open the door to total server takeover. “These new vulnerabilities do not allow for Remote Code Execution. The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit”.
The vulnerabilities affect the same packages as the previous RCE flaw, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
Affected versions include 19.0.0 through 19.0.2, 19.1.0 through 19.1.2, and 19.2.0 through 19.2.2.
Developers are advised to update to the newly released fixed versions:
- 19.0.3
- 19.1.4
- 19.2.3
“We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities,” the team urges.
Donate