Executive Summary
In December 2025, several critical vulnerabilities were discovered in React Server Components (RSC), affecting core packages such as react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Identified as CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183, these flaws were exploited by attackers to perform pre-authentication denial-of-service (DoS) attacks and, in some cases, access sensitive server-side source code. Exploitation was enabled through unsafe deserialization of HTTP payloads, leading to server hangs, or via crafted requests that exposed function source code. The vulnerabilities impacted RSC versions 19.0.0 through 19.2.2 and were identified following active investigation by security researchers in the wake of CVE-2025-55182 exploitation in the wild.
This incident underscores the growing trend of adversaries targeting server-side JavaScript frameworks through exploitation chains and rapid patch circumvention. Organizations relying on React for server-side rendering must remain vigilant, as repeated disclosures highlight both the software supply chain's fragility and the need for rigorous update cycles to fend off evolving threats.
Why This Matters Now
The React RSC vulnerabilities have been weaponized in real-world attacks, with researchers discovering exploit variants shortly after initial patches were released. This ongoing exposure raises urgent concerns over server-side JavaScript security posture—prompt updates are critical to prevent downtime and sensitive code leaks.
Attack Path Analysis
An attacker exploited an unsafe deserialization vulnerability in React Server Components to gain initial access to exposed Server Function endpoints. Privilege escalation was unnecessary for impact, but the attacker could have leveraged misconfigured permissions to access additional endpoints. Lateral movement may have been attempted to pivot across internal services if network segmentation was weak. The attacker maintained control by sending crafted HTTP payloads to vulnerable services. Sensitive source code could be exfiltrated if information leak flaws were abused, and denial-of-service attacks could disrupt application availability, impacting business operations.
Kill Chain Progression
Initial Compromise
Description
An attacker exploited a pre-authentication deserialization vulnerability (CVE-2025-55184/67779) on exposed Server Function endpoints, delivering crafted HTTP requests to trigger server-side flaws.
Related CVEs
CVE-2025-55184
CVSS 7.5A pre-authentication denial of service vulnerability in React Server Components allows an attacker to send crafted HTTP requests to Server Function endpoints, causing an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Affected Products:
Meta react-server-dom-webpack – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-parcel – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-turbopack – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Exploit Status:
no public exploitCVE-2025-67779
CVSS 7.5An incomplete fix for CVE-2025-55184 in React Server Components allows an attacker to send crafted HTTP requests to Server Function endpoints, causing an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Affected Products:
Meta react-server-dom-webpack – 19.0.2, 19.1.3, 19.2.2
Meta react-server-dom-parcel – 19.0.2, 19.1.3, 19.2.2
Meta react-server-dom-turbopack – 19.0.2, 19.1.3, 19.2.2
Exploit Status:
no public exploitCVE-2025-55183
CVSS 5.3An information leak vulnerability in React Server Components allows a specifically crafted HTTP request to a vulnerable Server Function to return the source code of any Server Function, potentially exposing sensitive information.
Affected Products:
Meta react-server-dom-webpack – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-parcel – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-turbopack – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Credentials from Web Browsers
Exploitation of Remote Services
Endpoint Denial of Service: Application or System Exploitation
Network Service Discovery
Application Layer Protocol: Web Protocols
Data from Local System
Exfiltration Over Alternative Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Applications
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Continuous Vulnerability Detection & Remediation
Control ID: Application Workload Pillar – Vulnerability Management
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical React Server Components vulnerabilities enable DoS attacks and source code exposure, directly impacting software development frameworks and application security infrastructure.
Information Technology/IT
React RSC flaws create severe operational risks through service disruption and intellectual property theft via unsafe deserialization and information leak vulnerabilities.
Financial Services
High-severity React vulnerabilities threaten transaction processing systems and sensitive financial data through DoS attacks and potential source code exposure to attackers.
Health Care / Life Sciences
React RSC security flaws risk HIPAA compliance violations and patient data protection through server-side vulnerabilities enabling unauthorized access and service disruption.
Sources
- New React RSC Vulnerabilities Enable DoS and Source Code Exposurehttps://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.htmlVerified
- Denial of Service and Source Code Exposure in React Server Componentshttps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-componentsVerified
- CVE-2025-55184 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-55184Verified
- CVE-2025-67779 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-67779Verified
- CVE-2025-55183 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-55183Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust zero trust segmentation, east-west traffic controls, egress policy enforcement, and real-time anomaly detection could have prevented initial exploit delivery, contained attacker movement, and swiftly detected source code exposure and application disruption in this attack chain.
Control: Cloud Firewall (ACF)
Mitigation: Blocked external access to unauthorized or vulnerable endpoints.
Control: Zero Trust Segmentation
Mitigation: Prevented unauthorized access to internal services and functions.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized or anomalous workload-to-workload communication.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked exploit payload patterns and C2-like traffic in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Detected and blocked sensitive data egress to unapproved destinations.
Generated alerts and triggered automated response for anomalous service denial.
Impact at a Glance
Affected Business Functions
- Web Services
- Customer Support
Estimated downtime: 2 days
Estimated loss: $50,000
Potential exposure of sensitive source code, including hardcoded secrets, which could lead to further security breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately patch all affected React Server Component packages to recommended secure versions.
- • Implement Cloud Firewall and microsegmentation to strictly control both north-south and east-west application traffic.
- • Enforce least privilege policies and regularly review server function exposure to minimize attack surface.
- • Deploy inline IPS and real-time anomaly detection to rapidly identify and block exploitation of critical vulnerabilities.
- • Apply egress filtering and source code protection measures to prevent data leakage and detect suspicious outbound transfers.
