- React released patches for two new vulnerabilities in React Server Components that could cause denial-of-service or source code leaks.
- The flaws were discovered during attempts to exploit a previous critical vulnerability, CVE-2025-55182, which has been active in the wild.
- Three related vulnerabilities have been identified: CVE-2025-55184 and CVE-2025-67779 cause server hangs due to unsafe deserialization, while CVE-2025-55183 risks exposing source code.
- These issues affect multiple versions of react-server-dom packages, with updates available in versions 19.0.3, 19.1.4, and 19.2.3.
- Security researchers credited for reporting these flaws include RyotaK, Shinsaku Nomura, and Andrew MacPherson.
React has issued security updates addressing two new vulnerabilities in its Server Components framework, potentially leading to denial-of-service (DoS) attacks or unintended source code exposure. These fixes were released on December 11, 2025, after these flaws were discovered amid efforts to exploit an earlier critical vulnerability known as CVE-2025-55182, which has seen active exploitation here.
The newly disclosed bugs include CVE-2025-55184 and CVE-2025-67779, both rated with a CVSS score of 7.5. They arise from unsafe deserialization of payloads in HTTP requests sent to Server Function endpoints, which can cause the server to enter an infinite loop and become unresponsive, blocking future requests. CVE-2025-67779 is noted as an incomplete fix for CVE-2025-55184 and has the same impact.
Another vulnerability, CVE-2025-55183, rated 5.3 for severity, involves an information leak. A carefully crafted HTTP request can cause a Server Function to reveal its source code. However, exploiting this flaw requires that a Server Function exposes an argument converted to string format.
The affected software versions include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack versions 19.0.0 through 19.2.1 for CVE-2025-55184 and CVE-2025-55183, and versions 19.0.2 through 19.2.2 for CVE-2025-67779. Users are urged to upgrade to versions 19.0.3, 19.1.4, or 19.2.3 promptly.
Security researchers RyotaK and Shinsaku Nomura reported the denial-of-service vulnerabilities to the Meta Bug Bounty program, while Andrew MacPherson disclosed the information leak flaw. According to the React team, “When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.” They added that such additional disclosures, though sometimes frustrating, indicate an active and effective security response cycle.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Fed Rate Cut Fails to Boost Bitcoin; BTC Holds Steady Near $92K
- CISA Flags High-Severity Vulnerability in OSGeo GeoServer Software
- Terraform Labs Founder Do Kwon Sentenced to 15 Years for Crypto Fraud
- Global Stablecoin Frameworks Expand as Banks Embrace Crypto in 2025
- Bitcoin Miners Poised to Lead Corporate Adoption Amid Treasury Slowdown
