The React workers has launched fixes for two new types of flaws in React Server Parts (RSC) that, if effectively exploited, could result in denial-of-service (DoS) or provide code publicity.
The workers talked about the issues had been found by the security group whereas attempting to make use of the patches launched for CVE-2025-55182 (CVSS ranking: 10.0), a important bug in RSC that has since been weaponized inside the wild.
The three vulnerabilities are listed beneath –
- CVE-2025-55184 (CVSS ranking: 7.5) – A pre-authentication denial of service vulnerability arising from unsafe deserialization of payloads from HTTP requests to Server Function endpoints, triggering an infinite loop that hangs the server course of and will cease future HTTP requests from being served
- CVE-2025-67779 (CVSS ranking: 7.5) – An incomplete restore for CVE-2025-55184 that has the an identical have an effect on
- CVE-2025-55183 (CVSS ranking: 5.3) – An knowledge leak vulnerability which can set off a very crafted HTTP request despatched to a prone Server Function to return the provision code of any Server Function
However, worthwhile exploitation of CVE-2025-55183 requires the existence of a Server Function that explicitly or implicitly exposes an argument that has been reworked proper right into a string format.
The problems affecting the following variations of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack –
- CVE-2025-55184 and CVE-2025-55183 – 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1
- CVE-2025-67779 – 19.0.2, 19.1.3 and 19.2.2
Security researcher RyotaK and Shinsaku Nomura have been credited with reporting the two DoS bugs to the Meta Bug Bounty program, whereas Andrew MacPherson has been acknowledged for reporting the info leak flaw.
Clients are instructed to switch to variations 19.0.3, 19.1.4, and 19.2.3 as shortly as doable, considerably in gentle of energetic exploration of CVE-2025-55182.
“When a important vulnerability is disclosed, researchers scrutinize adjoining code paths looking out for variant exploit strategies to verify whether or not or not the preliminary mitigation could also be bypassed,” the React workers talked about. “This pattern displays up all through the enterprise, not merely in JavaScript. Additional disclosures could also be irritating, nonetheless they’re sometimes a sign of a healthful response cycle.”
Elevate your perspective with NextTech Data, the place innovation meets notion.
Uncover the most recent breakthroughs, get distinctive updates, and be a part of with a worldwide group of future-focused thinkers.
Unlock tomorrow’s developments proper now: be taught further, subscribe to our publication, and turn into part of the NextTech group at NextTech-news.com
Keep forward of the curve with NextBusiness 24. Discover extra tales, subscribe to our publication, and be a part of our rising group at nextbusiness24.com