New React Server Components Vulnerabilities (CVE-2025-55184, CVE-2025-55183, CVE-2025-67779) Cause DoS and Source Code Exposure
On December 11, 2025, the React team disclosed additional vulnerabilities following the critical RCE vulnerability (CVE-2025-55182).
| Vulnerability | Severity | CVE | CVSS |
|---|---|---|---|
| Denial of Service (DoS) | High | CVE-2025-55184, CVE-2025-67779 | 7.5 |
| Source Code Exposure | Medium | CVE-2025-55183 | 5.3 |
Compared to previous RCE vulnerability,
| Vulnerability | Severity | CVE | CVSS |
|---|---|---|---|
| Denial of Service (DoS) | Critical | CVE-2025-55182 | 10.0 |
Even if you patched earlier for the RCE vulnerability (CVE-2025-55182), you still need to patch.
If you are using any react-server-dom-* packages, please update or check with
npm audit, specifically, the following:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
This mostly affects Next.JS and React Server Components. However, React Native & Expo applications should also check if you are using these packages. Update these packages to the corresponding patched versions - 19.0.3, 19.1.4, or 19.2.3.
If you are using older versions of Next.JS, please also update like previous vulnerability (ie. 13.3+).
For Expo developers, Expo team has patched SDK 54, 53 & canary, please install
the updates or check with npx expo install --check
# SDK 54
npm install expo-router@6.0.19 jest-expo@54.0.16
# SDK 53
npm install expo-router@5.1.10 jest-expo@53.0.13
# canary
npm install expo-router@7.0.0-canary-20251211-7da85ea jest-expo@55.0.0-canary-20251211-7da85ea
Source Code Exposure Vulnerability
The vulnerability can be exploited if your application has a Server Function that directly exposes a stringified argument.
Denial of Service Vulnerability
This vulnerability can be exploited when malicious actor sends a malicious request to any Server Function causing infinite loop in React’s deserialization logic. This leads the server process to hang and consumes CPU.