In early December 2025, the React core team disclosed two new vulnerabilities affecting React Server Components (RSC). These issues – Denial-of-Service and Source Code Exposure were found by security researchers probing the fixes for the previous week’s critical RSC vulnerability, known as “React2Shell”. 

While these newly discovered bugs do not enable Remote Code Execution, meaning the React2Shell patch remained effective, they do open the door to two serious problems: 

• Denial-of-Service (DoS) risk and 
• An unintended Server-Side Source Code Exposure. 

The React team identified these as a high-severity DoS (CVSS 7.5) and a medium-severity code leak (CVSS 5.3), with CVE identifiers CVE-2025-55184 / CVE-2025-67779 for the DoS and CVE-2025-55183 for the code exposure. Given the impact of these flaws, developers were urged to upgrade immediately to patched versions.

Denial-of-Service Vulnerability (High Severity)

Security researchers found that a specially crafted HTTP request can make a React Server Components (RSC) endpoint enter an infinite loop. This causes the server (for example, Node.js) to spike to 100% CPU and become unresponsive.

An attacker doesn’t need custom server actions to exploit this; any app using RSC can be affected because a generic endpoint is exposed by default. The impact is a denial-of-service attack, preventing legitimate users from accessing the application.

The React team fixed the issue by updating RSC internals to stop the infinite loop during request deserialization, though the first patch was incomplete and required a follow-up fix.

Source Code Exposure Vulnerability (Medium Severity)

The second issue is a bug that can leak server-side source code. By sending a specially crafted HTTP request to a vulnerable server action, an attacker can make React return the actual JavaScript source of that server function in the response.

This doesn’t affect every RSC endpoint. The function is only vulnerable if it returns data that includes a stringified argument (directly or indirectly). For example, if a server function takes user input (like a name) and returns a greeting string using that input, the bug could cause the entire function’s source code to be included in the response. This could even expose hardcoded secrets inside the function, such as API keys.

React fixed this by ensuring server responses never stringify or send function source code. The leak is limited in scope: only the code of the affected server function and inlined helpers can be exposed. Other files and environment-based secrets are not leaked.

In short, these issues could allow attackers to disrupt your service (DoS) or view parts of your server-side code, but they do not allow arbitrary code execution.

Denial-of-Service and Source Code Exposure Timeline

The React team provided a detailed timeline of the discovery, patching, and disclosure process for these vulnerabilities:

Denial-of-Service and Source Code Exposure Impact

Affected Versions and Applications

• Any React application using React Server Components (RSC) could be affected if it ran vulnerable RSC package versions.
• The issues existed in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
• Affected React versions ranged from 19.0.0 to 19.2.2.
• Practically, all React 19.x apps using Server Components in these versions were vulnerable.
• Frameworks that rely on RSC were also impacted due to bundled dependencies.
• Affected frameworks/tools include Next.js, React Router (RSC support), Waku, Parcel RSC plugin, Vite RSC plugin, and RedwoodSDK.
• Developers using these frameworks were indirectly exposed until patches were applied.
• Applications not using RSC or server-side React features (e.g., purely client-rendered React apps) were not affected.

Exploitation Conditions – DoS

• The DoS vulnerability could be exploited as long as the app ran a vulnerable RSC version and exposed the default server functions endpoint.
• No authentication or special privileges were required to carry out the attack.
• Attackers could target the public RSC endpoint used to handle server actions.
• A specially crafted or malformed request could trigger an infinite loop in server-side request processing.
• This would cause the server process to consume 100% CPU and hang, making the app unavailable.
• The application would remain offline until the server process was restarted or killed.
• The attack could be repeated to cause ongoing outages or severe performance degradation.
• Even apps without explicitly defined server actions were vulnerable.
• Simply having RSC enabled was enough for an attacker to exploit the issue.

Exploitation Conditions – Source Leak

• The source code exposure bug required a specific condition to be exploitable.
• The app must have at least one Server Component / server action that returns stringifiable data derived from user input.
• Common examples include functions that return strings directly or include user input in a returned object.
• If such a function exists, an attacker could send a crafted request to its endpoint.
• This request could trick React into serializing and returning the function’s source code in the response.
• The attacker would receive the JavaScript source of the server function, exposing its logic.
• Any hard-coded secrets inside the function (API keys, secret strings, etc.) would be visible.
• Environment-based secrets are not exposed, as they are not part of the source code.
• The leak is limited to the affected function and its inlined helpers.
• No access is gained to other files or code outside the function’s scope.
• Even with these limits, the issue poses a serious information disclosure risk.

In summary, the DoS vulnerability could allow anyone to crash or stall your React server at will, resulting in downtime and loss of availability for users. Meanwhile, the source exposure flaw could let attackers scrape confidential server-side code, potentially leading to further exploits or leaks of secrets (for example, database credentials embedded in code). These issues were serious: 

• The DoS was rated High severity because of its impact on availability
• The code leak was rated Medium severity as it could facilitate other attacks or intellectual property loss.
• No remote code execution was possible through these bugs unlike the earlier React2Shell issue, so attackers could not directly take control of servers. However, the combination of service outage potential and sensitive data exposure was enough to warrant an urgent security update from the React team.

Denial-of-Service and Source Code Exposure Mitigation

The React team released security patches on December 11, 2025 to fix the DoS and source code exposure vulnerabilities in React Server Components (RSC).

• Fixed versions include:
  react-server-dom-webpack 19.0.3, 19.1.4, and 19.2.3 (with matching patch versions for …-parcel and …-turbopack).
• These fixes were backported across all React 19.x branches, allowing upgrades without a major version change.
• All apps running vulnerable versions (19.0.0–19.2.2) must upgrade immediately. The React team strongly recommends doing this due to the severity of the issues.
• If you previously upgraded to 19.0.2, 19.1.3, or 19.2.2 to fix an earlier RSC issue, note that those versions are still vulnerable. The initial fixes were incomplete, so you must upgrade again to 19.0.3 / 19.1.4 / 19.2.3.
• New CVEs (for example, CVE-2025-67779) were issued, and the newer patch versions fully replace the earlier, insufficient fixes.
• To secure your app:
  • Update all react-server-dom-* packages to the fixed versions.
  • If you use frameworks like Next.js, React Router, Remix, or others, upgrade to the latest framework release that includes the patched React packages.
• The React team coordinated with framework maintainers, so updated framework versions or upgrade guidance is available. Always follow your framework’s official upgrade instructions.
• Do not rely on temporary mitigations such as firewalls or request filtering. These were only short-term protections. Upgrading dependencies is the only complete fix.
• React Native apps are generally unaffected unless they are part of a monorepo that includes the vulnerable RSC packages. In such cases:
  • Update only the react-server-dom-* packages.
  • You do not need to upgrade react or react-dom, avoiding compatibility issues.

TakeAway

Any project using react-server-dom-* must be on 19.0.3, 19.1.4, 19.2.3, or later to be fully protected.

The React Server Components vulnerabilities disclosed on December 11, 2025 require immediate action. Developers should upgrade to the patched versions or update their framework to one that includes them to remove the DoS and source code exposure risks.

In addition, VAPT and automated VMDR tools can help identify such risks early. Regular VAPT can validate whether exposed RSC endpoints are exploitable, while an automated VMDR solution can continuously monitor dependencies, detect vulnerable package versions, and alert teams to known CVEs before they are abused.

The React team provided backported fixes across all React 19.x versions and coordinated with major frameworks, making safe upgrades straightforward. Applying these updates, combined with continuous vulnerability monitoring, protects your application from server outages and accidental leaks of server-side code or secrets.

FAQs

The post Denial-of-Service and Source Code Exposure in React Server Components appeared first on Kratikal Blogs.

*** This is a Security Bloggers Network syndicated blog from Kratikal Blogs authored by Puja Saikia. Read the original post at: https://kratikal.com/blog/denial-of-service-and-source-code-exposure-in-react-server-components/