New React RSC Vulnerabilities Enable DoS and Source Code Exposure

New React RSC Vulnerabilities Enable DoS and Source Code Exposure

Posted on By CWS

Dec 12, 2025Ravie LakshmananSoftware Safety / Vulnerability
The React workforce has launched fixes for 2 new varieties of flaws in React Server Elements (RSC) that, if efficiently exploited, may end in denial-of-service (DoS) or supply code publicity.
The workforce mentioned the problems have been discovered by the safety neighborhood whereas trying to use the patches launched for CVE-2025-55182 (CVSS rating: 10.0), a essential bug in RSC that has since been weaponized within the wild.
The three vulnerabilities are listed under –

CVE-2025-55184 (CVSS rating: 7.5) – A pre-authentication denial of service vulnerability arising from unsafe deserialization of payloads from HTTP requests to Server Perform endpoints, triggering an infinite loop that hangs the server course of and will forestall future HTTP requests from being served
CVE-2025-67779 (CVSS rating: 7.5) – An incomplete repair for CVE-2025-55184 that has the identical affect
CVE-2025-55183 (CVSS rating: 5.3) – An data leak vulnerability that will trigger a particularly crafted HTTP request despatched to a weak Server Perform to return the supply code of any Server Perform

Nonetheless, profitable exploitation of CVE-2025-55183 requires the existence of a Server Perform that explicitly or implicitly exposes an argument that has been transformed right into a string format.

The issues affecting the next variations of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack –

CVE-2025-55184 and CVE-2025-55183 – 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1
CVE-2025-67779 – 19.0.2, 19.1.3 and 19.2.2

Safety researcher RyotaK and Shinsaku Nomura have been credited with reporting the 2 DoS bugs to the Meta Bug Bounty program, whereas Andrew MacPherson has been acknowledged for reporting the knowledge leak flaw.
Customers are suggested to replace to variations 19.0.3, 19.1.4, and 19.2.3 as quickly as potential, significantly in mild of lively exploration of CVE-2025-55182.
“When a essential vulnerability is disclosed, researchers scrutinize adjoining code paths searching for variant exploit strategies to check whether or not the preliminary mitigation could be bypassed,” the React workforce mentioned. “This sample exhibits up throughout the business, not simply in JavaScript. Further disclosures could be irritating, however they’re usually an indication of a wholesome response cycle.”

The Hacker News Tags:, , , , , , ,

Related Posts

ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware The Hacker News
Malicious Chrome Extensions Target Google and Telegram Data Malicious Chrome Extensions Target Google and Telegram Data The Hacker News
6 Browser-Based Attacks Security Teams Need to Prepare For Right Now 6 Browser-Based Attacks Security Teams Need to Prepare For Right Now The Hacker News
Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit The Hacker News
Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence The Hacker News
CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems The Hacker News