Severe Flaws in React Server Components Enable DoS Attacks and Code Exposure

Recently, security researchers uncovered two new vulnerabilities in React Server Components, which put servers at risk of Denial-of-Service (DoS) attacks and source code leaks.

These vulnerabilities were discovered during an analysis of patches for the critical “React2Shell” vulnerability that was disclosed last week.

Although these new issues do not allow for Remote Code Execution (RCE), they still pose significant threats to application stability and data privacy, making them a pressing concern for developers.

Denial of Service and Source Code Risks

The most severe of the two new vulnerabilities is a High-severity Denial-of-Service flaw that can be exploited by sending a specially crafted HTTP request to a server endpoint.

When React processes this malicious request, it triggers an infinite loop that consumes excessive CPU resources and hangs the server process, potentially causing it to crash or become unavailable to legitimate users.

The second vulnerability allows for the unauthorized exposure of source code, which can have serious consequences for application security.

CVE ID Severity CVSS Vulnerability Type
CVE-2025-55184 High 7.5 Denial of Service (DoS)
CVE-2025-67779 High 7.5 Denial of Service (DoS)
CVE-2025-55183 Medium 5.3 Source Code Exposure

A researcher discovered that under specific conditions, a malicious request could force a Server Function to return its own source code as a string, potentially leaking sensitive logic or internal database keys embedded within the function code.

The React team has warned that updates released earlier this week (versions 19.0.2, 19.1.3, and 19.2.2) are incomplete and remain vulnerable to these new exploits, emphasizing the need for immediate action.

Developers who recently updated their systems must update again to the newly released fixed versions to ensure the security of their applications.

The vulnerabilities affect widely used packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, as well as popular frameworks such as Next.js, React Router, and Waku.

React Native users employing these server packages in a monorepo setup should update the specific server packages without changing their core React version to avoid mismatches and ensure a smooth transition.

Related Articles

Back to top button