The React maintainers have shipped patches for two additional classes of vulnerabilities in React Server Components (RSC) that, if abused, can lead to denial-of-service (DoS) conditions or exposure of server-side source code.

The project noted that these weaknesses were identified by the security community while probing the earlier fixes for CVE-2025-55182 (CVSS score: 10.0), a critical RSC issue that has already been observed in real-world attack chains.

The three related vulnerabilities are:

• CVE-2025-55184 (CVSS score: 7.5) – A pre-authentication DoS vulnerability caused by unsafe deserialization of payloads from HTTP requests sent to Server Function endpoints, which can drive the server into an infinite loop, hang the process, and block subsequent HTTP traffic from being handled
• CVE-2025-67779 (CVSS score: 7.5) – An incomplete remediation for CVE-2025-55184 that leaves the same DoS impact in place
• CVE-2025-55183 (CVSS score: 5.3) – An information disclosure issue that can cause a specially crafted HTTP request to a vulnerable Server Function to return the source code of any Server Function

Exploitation of CVE-2025-55183, however, depends on the presence of at least one Server Function that directly or indirectly exposes an argument that has been converted to a string.

The issues impact the following versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack:

• CVE-2025-55184 and CVE-2025-55183 – 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1
• CVE-2025-67779 – 19.0.2, 19.1.3 and 19.2.2

Security researchers RyotaK and Shinsaku Nomura are credited with reporting the two DoS paths via Meta’s bug bounty program, and Andrew MacPherson is credited with identifying the source code disclosure issue.

From a SOC and engineering perspective, environments should be moved to versions 19.0.3, 19.1.4, and 19.2.3 without delay, especially given active attacker focus on CVE-2025-55182 and related code paths.

“When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed,” the React team said. “This pattern shows up across the industry, not just in JavaScript. Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.”