Introduction

The React team has disclosed critical security vulnerabilities affecting React Server Components that require immediate attention. As someone building production applications with React at Dr. Dangs Lab, I want to break down these vulnerabilities and explain what you need to do to protect your applications.

The Vulnerabilities Overview

In December 2024, security researchers discovered multiple severe vulnerabilities in React Server Components:

| CVE | Severity | Type | CVSS Score | |-----|----------|------|------------| | CVE-2025-55182 | Critical | Remote Code Execution | 9.8 | | CVE-2025-55184 | High | Denial of Service | 7.5 | | CVE-2025-67779 | High | Denial of Service | 7.5 | | CVE-2025-55183 | Medium | Source Code Exposure | 5.3 |

Affected Packages and Versions

The following packages are affected:

Affected versions:
19.0.0, 19.0.1, 19.0.2
19.1.0, 19.1.1, 19.1.2, 19.1.3
19.2.0, 19.2.1, 19.2.2

Affected packages:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

Fixed versions: 19.0.3, 19.1.4, and 19.2.3

Understanding the Vulnerabilities

1. Remote Code Execution (CVE-2025-55182) - Critical

The most severe vulnerability allows attackers to execute arbitrary code on your server. This is a classic "React2Shell" scenario where malicious payloads can be crafted to exploit the server-side rendering process.

// Example of vulnerable pattern (DO NOT USE)
// Malicious input could exploit server-side rendering
'use server';
export async function processUserInput(data) {
  // If data is not properly sanitized, attackers
  // could potentially execute arbitrary code
  const result = await eval(data); // NEVER DO THIS
  return result;
}

2. Denial of Service (CVE-2025-55184 & CVE-2025-67779) - High

Security researchers discovered that specially crafted HTTP requests can cause infinite loops when deserialized by React, effectively hanging the server process.

Attack Vector:
┌─────────────┐     Malicious Request     ┌─────────────┐
│   Attacker  │ ─────────────────────────► │   Server    │
└─────────────┘                            └──────┬──────┘
                                                  │
                                           ┌──────▼──────┐
                                           │ Infinite    │
                                           │ Loop        │
                                           │ (CPU 100%)  │
                                           └─────────────┘
Result: Server becomes unresponsive

This vulnerability exists even if your application doesn't explicitly implement React Server Function endpoints—if it supports React Server Components, it may be vulnerable.

3. Source Code Exposure (CVE-2025-55183) - Medium

A malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of Server Functions, potentially exposing hardcoded secrets.

// Vulnerable pattern
'use server';
export async function serverFunction(name) {
  const conn = db.createConnection('SECRET_KEY_HERE'); // LEAKED!
  const user = await conn.createUser(name);
  return {
    id: user.id,
    message: Hello, ${name}! // name is stringified, source code leaked
  };
}

What gets exposed:

{
  "id": "tva1sfodwq",
  "message": "Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET_KEY_HERE\");return{id:(await b.createUser(a)).id,message:Hello, ${a}!}}!"
}

Immediate Actions Required

Step 1: Check Your Dependencies

Check if you're using affected packages
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
Or with yarn
yarn why react-server-dom-webpack

Step 2: Update to Fixed Versions

Update to fixed versions
npm update react-server-dom-webpack@19.2.3
npm update react-server-dom-parcel@19.2.3
npm update react-server-dom-turbopack@19.2.3
Or update all React packages
npm update react react-dom react-server-dom-webpack

Step 3: Update Your Framework

If you're using a framework, update it as well:

Next.js
npm update next@latest
React Router
npm update react-router@latest
Waku
npm update waku@latest

Security Best Practices

1. Never Hardcode Secrets

// BAD - Secrets in source code
'use server';
export async function connectDB() {
  return db.connect('postgresql://user:password@host/db');
}
// GOOD - Use environment variables
'use server';
export async function connectDB() {
  return db.connect(process.env.DATABASE_URL);
}

2. Input Validation

'use server';
import { z } from 'zod';
const userSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
});
export async function createUser(formData) {
  // Validate input before processing
  const validatedData = userSchema.parse({
    name: formData.get('name'),
    email: formData.get('email'),
  });
  // Now safe to process
  return await db.createUser(validatedData);
}

3. Rate Limiting

// Add rate limiting to Server Functions
import { rateLimit } from '@/lib/rate-limit';
'use server';
export async function sensitiveOperation(data) {
  // Check rate limit first
  const identifier = getClientIP();
  const { success } = await rateLimit.check(identifier);
  if (!success) {
    throw new Error('Too many requests');
  }
  // Process the request
  return await processData(data);
}

4. Monitoring and Alerting

// Monitor for suspicious activity
import { logger } from '@/lib/logger';
'use server';
export async function serverFunction(input) {
  // Log all server function calls
  logger.info('Server function called', {
    function: 'serverFunction',
    inputSize: JSON.stringify(input).length,
    timestamp: new Date().toISOString(),
  });
  // Detect potential attacks
  if (JSON.stringify(input).length > 10000) {
    logger.warn('Potentially malicious large input detected');
    throw new Error('Input too large');
  }
  return await processInput(input);
}

Framework-Specific Guidance

Next.js

Check your Next.js version
npx next --version
Update to latest
npm install next@latest react@latest react-dom@latest

React Router

Update React Router
npm install react-router@latest @react-router/node@latest

Is My Application Affected?

Your application is NOT affected if:

• Your React code does not use a server
• You don't use a framework/bundler supporting React Server Components
• You're using React Native without a monorepo or react-dom

Your application IS affected if:

• You use Next.js 13+ with App Router
• You use React Router with Server Components
• You use any of the affected packages

Timeline of Events

| Date | Event | |------|-------| | Dec 3 | Leak vulnerability reported | | Dec 4 | Initial DoS reported | | Dec 6 | Issues confirmed by React team | | Dec 7 | Initial fixes created | | Dec 8 | Affected parties notified | | Dec 10 | Hosting provider mitigations in place | | Dec 11 | Patches published, CVEs disclosed |

Key Takeaways

1. Update immediately - Don't wait, these are critical vulnerabilities 2. Never hardcode secrets - Use environment variables 3. Validate all inputs - Server Functions are attack vectors 4. Monitor your applications - Set up logging and alerting 5. Keep dependencies updated - This pattern of follow-up CVEs is common

Conclusion

Security vulnerabilities in critical infrastructure like React affect millions of applications. The React team's quick response and transparent disclosure is commendable. As developers, we must stay vigilant, keep our dependencies updated, and follow security best practices.

The discovery of follow-up vulnerabilities after the initial patch is a healthy sign of the security community working together. Always verify your applications are running the latest patched versions.

---

Have questions about securing your React applications? Connect on LinkedIn to discuss security best practices.