CRITICAL: New React Server Component Vulnerabilities - Denial of Service and Source Code Exposure
Source: Dev.to
Heads up, React developers! The React team just announced two new vulnerabilities in React Server Components that could lead to a denial of service or expose your source code. If you are using React Server Components in production, you should patch your application immediately.
This article covers the general React vulnerabilities and the specific impact on Next.js.
The Vulnerabilities (React)
The two vulnerabilities are:
- Denial of Service (DoS) – High Severity (CVSS 7.5, CVE‑2025‑55184)
- Source Code Exposure – Medium Severity (CVSS 5.3, CVE‑2025‑55183)
Denial of Service (DoS)
A specially crafted HTTP request can trigger an infinite loop on your server. This will cause the server to become unresponsive, leading to a denial of service for your users. This is a high‑severity vulnerability and should be addressed immediately.
Source Code Exposure
This vulnerability allows a malicious actor to potentially access the source code of your Server Functions. By sending a specially crafted HTTP request, they could expose your code, including any hard‑coded secrets or other sensitive information. Although classified as medium severity, the impact can be serious.
Are You Affected? (React)
You are affected if you are using React Server Components. This includes frameworks and bundlers such as:
- Next.js
- react‑router
- Waku
@parcel/rsc@vite/rsc-plugin- rwsdk
If you are not using a server or your application does not support React Server Components, you are not affected.
The Fix (React)
The React team has released patched versions of the following packages:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Upgrade to the latest versions (19.0.3, 19.1.4, 19.2.3) to patch these vulnerabilities.
For React Native developers, the React team has provided specific instructions for updating the impacted packages in your monorepo.
What to Do Now (React)
- Check if you are affected: Determine if your application uses React Server Components.
- Upgrade your dependencies: If you are affected, upgrade your
react-server-dom-*packages to the latest patched versions. - Audit your code: Even after patching, audit your code for any hard‑coded secrets and move them to a secure location.
Next.js Specific Information (Update)
The Next.js team has released a security update addressing the downstream impact of the React Server Component vulnerabilities on applications using the App Router.
Important Note: The initial fix for the Denial of Service vulnerability (CVE‑2025‑55184) was incomplete. A complete fix has been issued under CVE‑2025‑67779. If you previously upgraded, you must upgrade again to the latest patched versions.
Affected and Fixed Next.js Versions
| Release Line | Fixed In |
|---|---|
| >=13.3 | 14.2.35 |
| 14.x | 14.2.35 |
| 15.0.x | 15.0.7 |
| 15.1.x | 15.1.11 |
| 15.2.x | 15.2.8 |
| 15.3.x | 15.3.8 |
| 15.4.x | 15.4.10 |
| 15.5.x | 15.5.9 |
| 15.x canary | 15.6.0‑canary.60 |
| 16.0.x | 16.0.10 |
| 16.x canary | 16.1.0‑canary.19 |
Required Action for Next.js Users
All users should upgrade to the latest patched version for their release line. There is no workaround.
You can use npm or yarn to install the patched version, for example:
npm install next@14.2.35 # for 14.x
npm install next@15.0.7 # for 15.0.x
npm install next@15.1.11 # for 15.1.x
npm install next@15.2.8 # for 15.2.x
npm install next@15.3.8 # for 15.3.x
npm install next@15.4.10 # for 15.4.x
npm install next@15.5.9 # for 15.5.x
npm install next@16.0.10 # for 16.0.x
npm install next@15.6.0-canary.60 # for 15.x canary releases
npm install next@16.1.0-canary.19 # for 16.x canary releasesAlternatively, you can use the interactive fix-react2shell-next tool to check your version and perform the upgrade:
npx fix-react2shell-next