The React team has released security updates to fix several new vulnerabilities in React Server Components (RSC). If exploited, these flaws could lead to denial-of-service (DoS) attacks or source code exposure.

The issues were discovered by the security community while analyzing earlier patches for CVE-2025-55182, a critical vulnerability with a CVSS score of 10.0 that has already been exploited in the wild.

List of Fixed Vulnerabilities

React addressed the following issues:

• CVE-2025-55184 (CVSS 7.5)
  A pre-authentication DoS vulnerability caused by unsafe deserialization of HTTP request data. This flaw can trigger an infinite loop and freeze the server.
• CVE-2025-67779 (CVSS 7.5)
  An incomplete fix for CVE-2025-55184 that results in the same impact.
• CVE-2025-55183 (CVSS 5.3)
  An information disclosure bug that may expose Server Function source code through a crafted HTTP request.

Exploitation of CVE-2025-55183 requires a Server Function that exposes an argument converted into a string.

Affected React Versions

The vulnerabilities impact the following versions:

• CVE-2025-55184 & CVE-2025-55183
  Versions 19.0.0 to 19.2.1
• CVE-2025-67779
  Versions 19.0.2, 19.1.3, and 19.2.2

Recommended Updates

Users should update immediately to these secure versions:

• 19.0.3
• 19.1.4
• 19.2.3

Updating is strongly recommended due to active exploitation of CVE-2025-55182.

The React team noted that follow-up vulnerabilities after a major patch are common across the industry. This process helps ensure stronger long-term security.

Developers are advised to update React as soon as possible to protect their applications.

Source: https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html