"The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in the wild. The three vulnerabilities are listed below -"
"CVE-2025-55184 and CVE-2025-55183 - 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 CVE-2025-67779 - 19.0.2, 19.1.3 and 19.2.2 Security researcher RyotaK and Shinsaku Nomura have been credited with reporting the two DoS bugs to the Meta Bug Bounty program, while Andrew MacPherson has been acknowledged for reporting the information leak flaw. Users are advised to update to versions 19.0.3, 19.1.4, and 19.2.3 as soon as possible, particularly in light of active exploration of CVE-2025-55182."
Multiple vulnerabilities in React Server Components allow pre-authentication denial-of-service and potential Server Function source-code disclosure. CVE-2025-55184 and CVE-2025-67779 enable unsafe deserialization or represent incomplete fixes that can trigger infinite loops and hang server processes. CVE-2025-55183 can return Server Function source code when a crafted HTTP request targets a function that exposes an argument converted to a string. Affected packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack across several 19.x releases. Security reporters are credited, and upgrades to 19.0.3, 19.1.4, or 19.2.3 are advised immediately.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]