Back to Blog
Critical Security Vulnerabilities in React Server Components: What You Need to Know

Critical Security Vulnerabilities in React Server Components: What You Need to Know

December 18, 2024
6 min read
Tushar Agrawal
ReactSecurityCVEServer ComponentsWeb SecurityJavaScript

TL;DR

Understanding the recent CVE-2025-55182, CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779 vulnerabilities in React Server Components. Learn about Denial of Service, Source Code Exposure risks, and how to protect your applications.

Introduction

The React team has disclosed critical security vulnerabilities affecting React Server Components that require immediate attention. As someone building production applications with React at Dr. Dangs Lab, I want to break down these vulnerabilities and explain what you need to do to protect your applications.

The Vulnerabilities Overview

In December 2024, security researchers discovered multiple severe vulnerabilities in React Server Components:

CVESeverityTypeCVSS Score
CVE-2025-55182CriticalRemote Code Execution9.8
CVE-2025-55184HighDenial of Service7.5
CVE-2025-67779HighDenial of Service7.5
CVE-2025-55183MediumSource Code Exposure5.3

Affected Packages and Versions

The following packages are affected:

Affected versions:
- 19.0.0, 19.0.1, 19.0.2
- 19.1.0, 19.1.1, 19.1.2, 19.1.3
- 19.2.0, 19.2.1, 19.2.2

Affected packages:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack

Fixed versions: 19.0.3, 19.1.4, and 19.2.3

Understanding the Vulnerabilities

1. Remote Code Execution (CVE-2025-55182) - Critical

The most severe vulnerability allows attackers to execute arbitrary code on your server. This is a classic "React2Shell" scenario where malicious payloads can be crafted to exploit the server-side rendering process.

// Example of vulnerable pattern (DO NOT USE)
// Malicious input could exploit server-side rendering
'use server';

export async function processUserInput(data) {
  // If data is not properly sanitized, attackers
  // could potentially execute arbitrary code
  const result = await eval(data); // NEVER DO THIS
  return result;
}

2. Denial of Service (CVE-2025-55184 & CVE-2025-67779) - High

Security researchers discovered that specially crafted HTTP requests can cause infinite loops when deserialized by React, effectively hanging the server process.

Attack Vector:
┌─────────────┐     Malicious Request     ┌─────────────┐
│   Attacker  │ ─────────────────────────► │   Server    │
└─────────────┘                            └──────┬──────┘
                                                  │
                                           ┌──────▼──────┐
                                           │ Infinite    │
                                           │ Loop        │
                                           │ (CPU 100%)  │
                                           └─────────────┘

Result: Server becomes unresponsive

This vulnerability exists even if your application doesn't explicitly implement React Server Function endpoints—if it supports React Server Components, it may be vulnerable.

3. Source Code Exposure (CVE-2025-55183) - Medium

A malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of Server Functions, potentially exposing hardcoded secrets.

// Vulnerable pattern
'use server';

export async function serverFunction(name) {
  const conn = db.createConnection('SECRET_KEY_HERE'); // LEAKED!
  const user = await conn.createUser(name);

  return {
    id: user.id,
    message: `Hello, ${name}!` // name is stringified, source code leaked
  };
}

What gets exposed:

{
  "id": "tva1sfodwq",
  "message": "Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET_KEY_HERE\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"
}

Immediate Actions Required

Step 1: Check Your Dependencies

# Check if you're using affected packages
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack

# Or with yarn
yarn why react-server-dom-webpack

Step 2: Update to Fixed Versions

# Update to fixed versions
npm update react-server-dom-webpack@19.2.3
npm update react-server-dom-parcel@19.2.3
npm update react-server-dom-turbopack@19.2.3

# Or update all React packages
npm update react react-dom react-server-dom-webpack

Step 3: Update Your Framework

If you're using a framework, update it as well:

# Next.js
npm update next@latest

# React Router
npm update react-router@latest

# Waku
npm update waku@latest

Security Best Practices

1. Never Hardcode Secrets

// BAD - Secrets in source code
'use server';

export async function connectDB() {
  return db.connect('postgresql://user:password@host/db');
}

// GOOD - Use environment variables
'use server';

export async function connectDB() {
  return db.connect(process.env.DATABASE_URL);
}

2. Input Validation

'use server';

import { z } from 'zod';

const userSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
});

export async function createUser(formData) {
  // Validate input before processing
  const validatedData = userSchema.parse({
    name: formData.get('name'),
    email: formData.get('email'),
  });

  // Now safe to process
  return await db.createUser(validatedData);
}

3. Rate Limiting

// Add rate limiting to Server Functions
import { rateLimit } from '@/lib/rate-limit';

'use server';

export async function sensitiveOperation(data) {
  // Check rate limit first
  const identifier = getClientIP();
  const { success } = await rateLimit.check(identifier);

  if (!success) {
    throw new Error('Too many requests');
  }

  // Process the request
  return await processData(data);
}

4. Monitoring and Alerting

// Monitor for suspicious activity
import { logger } from '@/lib/logger';

'use server';

export async function serverFunction(input) {
  // Log all server function calls
  logger.info('Server function called', {
    function: 'serverFunction',
    inputSize: JSON.stringify(input).length,
    timestamp: new Date().toISOString(),
  });

  // Detect potential attacks
  if (JSON.stringify(input).length > 10000) {
    logger.warn('Potentially malicious large input detected');
    throw new Error('Input too large');
  }

  return await processInput(input);
}

Framework-Specific Guidance

Next.js

# Check your Next.js version
npx next --version

# Update to latest
npm install next@latest react@latest react-dom@latest

React Router

# Update React Router
npm install react-router@latest @react-router/node@latest

Is My Application Affected?

Your application is NOT affected if:

  • Your React code does not use a server
  • You don't use a framework/bundler supporting React Server Components
  • You're using React Native without a monorepo or react-dom
Your application IS affected if:

  • You use Next.js 13+ with App Router
  • You use React Router with Server Components
  • You use any of the affected packages

Timeline of Events

DateEvent
Dec 3Leak vulnerability reported
Dec 4Initial DoS reported
Dec 6Issues confirmed by React team
Dec 7Initial fixes created
Dec 8Affected parties notified
Dec 10Hosting provider mitigations in place
Dec 11Patches published, CVEs disclosed

Key Takeaways

  1. Update immediately - Don't wait, these are critical vulnerabilities
  2. Never hardcode secrets - Use environment variables
  3. Validate all inputs - Server Functions are attack vectors
  4. Monitor your applications - Set up logging and alerting
  5. Keep dependencies updated - This pattern of follow-up CVEs is common

Conclusion

Security vulnerabilities in critical infrastructure like React affect millions of applications. The React team's quick response and transparent disclosure is commendable. As developers, we must stay vigilant, keep our dependencies updated, and follow security best practices.

The discovery of follow-up vulnerabilities after the initial patch is a healthy sign of the security community working together. Always verify your applications are running the latest patched versions.

---

Have questions about securing your React applications? Connect on LinkedIn to discuss security best practices.

Share this article

Written by

Tushar Agrawal

Full-Stack Engineer in New Delhi building healthcare SaaS at Dr. Dangs Lab. 3+ years shipping Python/Go microservices, event-driven systems, and HIPAA-compliant platforms at 99.9% uptime. Creator of QAuth and QuantumShield.

Related Articles