- New flaws in React Server Components, CVE-2025-55183 and CVE-2025-55184, enable source code exposure and denial of service.
- Both issues affect specific 19.x versions of react-server-dom-parcel, -turbopack and -webpack packages.
- Meta’s React team has released fixed versions 19.0.3, 19.1.4 and 19.2.3 and urges rapid upgrades.
- The bugs were found while stress-testing earlier React2Shell (CVE-2025-55182) patches, showing intense scrutiny of RSC’s attack surface.
Two newly disclosed vulnerabilities in React Server Components (RSC) have put fresh attention on the security of modern JavaScript backends. Tracked as CVE-2025-55183 and CVE-2025-55184, these flaws do not enable direct remote code execution, but they can still cause serious disruption through denial-of-service and unwanted disclosure of backend source code when exploited in the right conditions.
These bugs surfaced as part of a broader security review triggered by the critical React2Shell issue (CVE-2025-55182), which had already attracted active exploitation in the wild. While the new weaknesses are less severe than that earlier 10.0 CVSS vulnerability, they highlight how once a critical bug becomes public, researchers and attackers alike dive deep into adjacent RSC code paths searching for variant attack techniques.
Background: From React2Shell to New RSC Vulnerabilities
As defenders and the React team deployed mitigations for React2Shell, security researchers started to probe the updated code to check whether the fixes could be bypassed or extended into new exploit primitives. This process is standard practice across the industry: once a highly critical vulnerability is patched, nearby logic and interfaces are examined aggressively for similar patterns.
It was during this follow-on research that three related RSC bugs were documented: a denial-of-service issue (CVE-2025-55184), a subsequent incomplete fix with the same impact (CVE-2025-67779), and an information disclosure weakness (CVE-2025-55183). While CVE-2025-67779 is also relevant to RSC security, the main focus now is on understanding the newly detailed behavior and impact of CVE-2025-55183 and CVE-2025-55184.
Alongside this technical analysis, incident responders have seen exploit chains evolve around React2Shell, where attackers combine RCE with post-exploitation payloads and lateral movement. That continuing activity increases the urgency for organizations to treat all related RSC vulnerabilities, including CVE-2025-55183 and CVE-2025-55184, as part of a single evolving attack surface rather than isolated bugs.
The discovery and responsible disclosure of these issues demonstrate how the broader security community, vendor engineers and bug bounty hunters collaborate to harden widely used frameworks like React, even as adversaries attempt to weaponize the very same components.
Technical Details of CVE-2025-55184: Denial-of-Service in Server Functions
CVE-2025-55184 is described as a pre-authentication denial-of-service (DoS) vulnerability affecting React Server Components. The root of the problem lies in the way certain RSC packages handle deserialization of payloads from HTTP requests targeting Server Function endpoints.
In vulnerable versions, specially crafted requests can trigger unsafe deserialization logic that falls into an infinite loop. Once this loop is activated, the process handling the Server Function effectively hangs, leading to a state where the application is no longer able to serve subsequent HTTP traffic or respond reliably.
The impact is particularly concerning because the flaw can be exploited before any authentication is enforced. In other words, an attacker does not need valid credentials or elevated privileges to attempt exploitation; a stream of malicious requests is enough to tie up server resources and potentially knock an RSC-powered service offline.
According to the published scoring, CVE-2025-55184 carries a CVSS base score of 7.5, placing it in the high-severity category. While it does not offer code execution on its own, a reliable DoS primitive against a key part of the backend stack can still translate into availability risks, service-level agreement violations and downstream business impact.
During the patching process, a separate identifier, CVE-2025-67779, was assigned to an incomplete fix for this issue. That follow-up CVE addresses residual paths that still produced the same denial-of-service effect, underscoring how closing complex deserialization bugs can require multiple iterations to cover every edge case.
Technical Details of CVE-2025-55183: Source Code Exposure via Crafted Requests
Where CVE-2025-55184 is focused on availability, CVE-2025-55183 deals with confidentiality. This vulnerability is characterized as an information leak flaw in React Server Components that can cause the source code of certain Server Functions to be returned to a remote client.
In vulnerable releases, a carefully designed HTTP request sent to an exposed Server Function may trigger behavior where the server responds with the underlying code of any targeted Server Function. This kind of leakage can reveal implementation details, business logic, hard-coded strings or other sensitive information that organizations normally keep strictly on the server side.
However, exploitation of CVE-2025-55183 is gated by a specific precondition: there must be at least one Server Function whose interface exposes an argument that has been converted to a string format, either explicitly or implicitly. Only when this pattern exists in the application’s RSC usage does the vulnerability become viable for a would-be attacker.
Security ratings assign a CVSS score of 5.3 to CVE-2025-55183, placing it in the medium-severity range. Even so, source code disclosure can be far from harmless. Knowledge of internal function names, parameters, error handling and data flows can help adversaries craft more tailored attacks, spot hidden weaknesses and engineer phishing or social engineering efforts that align more closely with the real system behavior.
Beyond any immediate exploitation value, the visibility gained from leaked Server Function code can effectively turn the application into its own blueprint for future intrusion attempts, especially in environments where the same patterns appear across multiple services.
Affected Packages and Versions in the React RSC Ecosystem
The newly documented vulnerabilities affect a set of React Server Components integration packages, specifically the implementations that plug RSC into build and runtime tools. The impacted modules are:
- react-server-dom-parcel
- react-server-dom-turbopack
- react-server-dom-webpack
For both CVE-2025-55184 and CVE-2025-55183, the affected versions span multiple 19.x releases. The vulnerable set includes 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1. Development teams running these versions in production or staging need to assume that their instances may be susceptible to denial-of-service or source code leakage if exposed to untrusted traffic.
In addition, the incomplete fix represented by CVE-2025-67779 affects versions 19.0.2, 19.1.3 and 19.2.2. While this identifier is associated with the same kind of DoS behavior as CVE-2025-55184, it highlights that even upgraded environments might remain partially exposed if they landed on these intermediate releases.
The range of versions impacted demonstrates how RSC’s rapid iteration cycle can complicate patch management. Organizations that upgrade sporadically or pin to specific minor versions may not realize that a newly reached release falls inside an affected window, making careful version auditing essential.
Given the popularity of the React ecosystem and the growing adoption of Server Components for performance and developer experience, the pool of applications potentially touched by CVE-2025-55183 and CVE-2025-55184 is likely to span a wide spectrum of industries and deployment models.
Patched Versions and Recommended Upgrade Path
To address the vulnerabilities, the React team has released patched versions for all three affected RSC packages. Users are being urged to migrate as soon as is practical to the following fixed releases:
- 19.0.3
- 19.1.4
- 19.2.3
According to the maintainers, these updates fully mitigate the denial-of-service problem embodied by CVE-2025-55184 and the related CVE-2025-67779, as well as the information disclosure risk described in CVE-2025-55183. Crucially, the earlier React2Shell vector (CVE-2025-55182) is also blocked by the broader set of patches that have been released across the 19.x branches.
Teams responsible for production deployments are encouraged to treat this as a high-priority maintenance task, especially considering the active exploration of RSC vulnerabilities by both legitimate researchers and hostile actors. Where immediate deployment of the latest minor line is not feasible, organizations should at minimum ensure they are not stuck on any of the specifically listed vulnerable builds.
As always, upgrading libraries should go hand in hand with testing and staged rollouts. Adding regression checks around critical Server Functions, monitoring error rates after the upgrade and reviewing logs for unusual deserialization or serialization activity can help ensure that the new versions behave as expected under real traffic.
The swift availability of patches underscores the React team’s stance that multiple rounds of disclosures are not necessarily a sign of failed remediation, but rather of a healthy response cycle where defensive depth improves over time as more edge cases and variant paths are uncovered and resolved.
How the Vulnerabilities Were Discovered and Reported
The newly documented flaws reflect an ongoing collaboration between independent security researchers and Meta’s bug bounty program. The denial-of-service issues, CVE-2025-55184 and the follow-on CVE-2025-67779, were reported by RyotaK and Shinsaku Nomura, who earned credit for identifying how malicious payloads could push RSC into a non-responsive state.
The information leak vulnerability, CVE-2025-55183, was disclosed by Andrew MacPherson, who highlighted the conditions under which a Server Function might return its own source code when presented with a carefully constructed HTTP request.
These findings emerged while the researchers were actively attempting to stress-test the existing mitigations for CVE-2025-55182. In doing so, they effectively replicated the kind of analytical work that determined attackers might carry out, but within a framework of responsible reporting and coordinated patch distribution.
The React team has publicly acknowledged that patterns like this are typical across the software industry, not just within the JavaScript ecosystem. Once a critical bug captures attention, developers and adversaries both search for “variant” exploit strategies along neighboring code paths, sometimes revealing previously overlooked weaknesses.
By addressing CVE-2025-55183, CVE-2025-55184 and CVE-2025-67779 promptly and transparently, the maintainers aim to stay ahead of potential weaponization while giving organizations clear guidance on how to secure their React Server Components deployments.
Risk Context: Why Non-RCE Bugs Still Matter
Even though these new vulnerabilities do not themselves grant an attacker direct remote code execution, they can still be high-value tools in a broader intrusion kit. A denial-of-service flaw like CVE-2025-55184 can be used to disrupt operations, act as a smokescreen that distracts defenders or probe how resilient an organization’s infrastructure is under abnormal load.
In parallel, a source code exposure vector such as CVE-2025-55183 can feed reconnaissance efforts. Access to the internal text of Server Functions can reveal how requests are authenticated, which parameters influence database access, how errors are handled and where third-party services are integrated. That visibility is invaluable to attackers trying to line up more precise or stealthy exploitation attempts.
In environments already dealing with the aftermath of React2Shell (CVE-2025-55182), these additional weaknesses increase the complexity of the overall threat landscape. Defenders are forced to consider not only immediate RCE prevention but also the stability and confidentiality of RSC behavior under malicious input.
From a governance perspective, this situation highlights why vulnerability management programs need to look beyond headline-grabbing CVSS 10.0 scores. Mid- and high-severity bugs affecting availability and information exposure can still be pivotal, particularly when combined with other techniques in a realistic attack chain.
Ultimately, these developments reinforce the idea that maintaining secure RSC deployments is not a one-off effort. It is instead a continuing process of patching, monitoring, testing and reviewing how Server Functions are designed and exposed over time.
As the dust settles around the React2Shell emergency and its associated follow-on discoveries, organizations using React Server Components are being pushed to re-examine their dependency versions, harden their server-side interfaces and respond quickly to upstream security advisories. By staying aligned with the latest patched releases and integrating security checks into their development workflows, teams can significantly reduce the window of opportunity for attackers targeting CVE-2025-55183, CVE-2025-55184 and related RSC vulnerabilities.
