Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in
Back
Security News

New React Server Components Vulnerabilities: DoS and Source Code Exposure

New DoS and source code exposure bugs in React Server Components and Next.js: what’s affected and how to update safely.

New React Server Components Vulnerabilities: DoS and Source Code Exposure

Sarah Gooding

December 12, 2025

Security researchers have identified two additional vulnerabilities in React Server Components (RSC) following last week’s React2Shell disclosure. These issues affect many of the same packages and frameworks but do not enable remote code execution. The earlier React2Shell patch remains effective for mitigating RCE, but developers who already upgraded last week will need to update again.

New React Server Components Vulnerabilities#

Denial of Service

CVE-2025-55184, CVE-2025-67779

Base Score: 7.5 (High)
A malicious request to an RSC endpoint can trigger an infinite loop during deserialization, causing the server process to hang and consume CPU. The initial fix for CVE-2025-55184 was incomplete, leading to the follow-up CVE-2025-67779.

Source Code Exposure

CVE-2025-55183

Base Score: 5.3 (Medium)
A crafted request to a vulnerable Server Function may cause the server to return compiled source code for that function. This can reveal business logic or any secrets that are hardcoded in the source. Runtime secrets like environment variables are not affected.

None of these issues allow RCE, but they must be patched immediately.

Affected Packages and Versions#

The vulnerabilities impact the same RSC implementations used by frameworks like Next.js:

Affected RSC packages:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Affected versions:

  • 19.0.0
  • 19.0.1
  • 19.1.0
  • 19.1.1
  • 19.1.2
  • 19.2.0
  • 19.2.1
  • (DoS follow-up CVE also affects 19.0.2, 19.1.3, 19.2.2)

These packages ship inside multiple frameworks and bundlers that implement React Server Components, including Next.js 13.x–16.x, Vite RSC plugin, Parcel RSC, React Router’s RSC preview, Waku, and RedwoodSDK.

Apps that do not use React Server Components or Server Functions are not affected.

Patched Versions#

React has released updated RSC package versions:

  • 19.0.3
  • 19.1.4
  • 19.2.3

Framework authors, including Vercel for Next.js, have published patched releases that integrate these RSC fixes. Teams that already updated to last week’s “safe” versions (19.0.2, 19.1.3, 19.2.2) must upgrade again.

Guidance for Socket Customers#

Socket now highlights these CVEs (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) for all affected packages.

We recommend:

  1. Review your latest Socket scans to identify projects using vulnerable versions of the RSC packages or frameworks that bundle them (including most Next.js 13+ applications).
  2. Upgrade immediately to the patched versions listed above or the patched version provided by your framework.
  3. Deploy updated builds as soon as possible.
  4. If any Server Function source code may contain hardcoded secrets, rotate those credentials.

You can view the Socket vulnerability page for CVE-2025-55184 here:
https://socket.dev/vuln/ghsa/GHSA-2m3v-v2m8-q956

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a Demo

Related posts

Back to all posts
Socket Firewall Now Available in Docker Hardened Images

Security News

/

Product

Socket Firewall Now Available in Docker Hardened Images

Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection on top of hardened base images for Node.js, Python, and Rust.

By Sarah Gooding  -  Dec 17, 2025
The Nightmare Before Deployment

Security News

The Nightmare Before Deployment

Season’s greetings from Socket, and here’s to a calm end of year: clean dependencies, boring pipelines, no surprises.

By Ahmad Nassri  -  Dec 16, 2025