React Server Components (RSC) are vulnerable to two high-severity and one medium-severity vulnerabilities, tracked as CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779.
CVE-2025-55184 and CVE-2025-67779 can lead to denial-of-service attacks, while CVE-2025-55183 exposes backend source code, potentially leaking API keys and other sensitive information.
CVE-2025-55184 and CVE-2025-67779: Denial of Service Vulnerabilities
Security researchers identified a flaw where a specially crafted HTTP request sent to any Server Functions endpoint triggers React’s deserialization process, leading to an infinite loop. This loop causes the server process to hang and spikes CPU usage. The issue affects apps supporting React Server Components, even without custom Server Function endpoints, enabling attackers to launch denial-of-service attacks that block user access and degrade server performance.
A function inside the ReactFlightReplyServer code, which is in charge of server responses asynchronously.
Inside the code, it handles chunks of incoming data and inspects them. The logic error was that a large JSON file could be sent to the server, causing it to read the JSON parameters in a way that points to itself, resulting in an infinite loop and preventing the server from responding.
The code for the fix handles this case by checking if the loop ran for more than 1000 times, then exiting the loop instead of continuing the value inspection loop.
Image Source: Qualys Threat Research Unit (TRU)
CVE-2025-55183: Source Code Exposure Vulnerability
A malicious HTTP request sent to a vulnerable server function can expose the source code of any server function in an unsafe manner.
Affected versions
These vulnerabilities affect the same packages and versions as CVE-2025-55182.
This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Mitigation
Patches for the vulnerabilities are backported to versions 19.0.3, 19.1.4, and 19.2.3.
It’s important to note that the patches released for the previous critical vulnerability (CVE-2025-55182) are vulnerable to these vulnerabilities. The previously patched versions 19.0.2, 19.1.3, and 19.2.2 are incomplete, and users must upgrade to the latest versions.
For more information, please refer to the React Security Blog.
Qualys Detection
Qualys customers can scan their devices with QIDs 733519 and 530742 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References