—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple vulnerabilities exist in React Server Components 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

react-server-dom-webpack versions prior to 19.0.3, 19.1.4 and 19.2.3.

react-server-dom-parcel versions prior to 19.0.3, 19.1.4 and 19.2.3.

react-server-dom-turbopack versions prior to 19.0.3, 19.1.4 and 19.2.3.

Overview

Multiple vulnerabilities have been identified in React Server Components (RSC) that could allow attackers to perform denial-of-service (DoS) attacks or obtain sensitive source code and application data.

Target Audience:

All end-user organizations and individuals using React Server Components.

Impact Assessment:

High risk of service disruption and information disclosure.

Description

React Server Components (RSC) is a framework feature that allows server-side execution of React components to reduce client-side JavaScript and improve rendering performance.

These vulnerabilities exist in React Server Components (RSC) due to improper handling of stringified arguments in HTTP requests sent to Server Function (Server Action) endpoints. An attacker could exploit this behaviour by issuing specially crafted HTTP requests to a vulnerable server.

Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information and cause denial of service condition on the targeted system.

Solution

 

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

Vendor Information

React

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

References

React

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

CVE Name

CVE-2025-55184

CVE-2025-67779

CVE-2025-55183

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlL8X4ACgkQ3jCgcSdc

ys+i2A/9EgDXAsCYrSOtRykYmbC+A4U3QYg91il2FGxI7duBcaHZll10j3mnSA6s

v4FNhwqjAW9/Hw0QKLK8ABQQgB8A2qyspMP4GK5Mh44/GCX2YCMdQmXKKIGEnDsI

wQNzqsTRfydasISReydWHDZoQS/u3a7kiTw+dw5Qqtlw64mmLTcfLnAUb8xx+ciF

02IZeuqSfSE5hHYEaQDfg+RQY7ouNavyZDpzQkfQk+duOjbngP/stbi+JOu7vBNz

6zoQ9IUt/cSWisM5MqiTBnTxU49WttiQzOa9nBpbd3nMJwr2HBLXWqyiyQ53a+94

YV3Qp6RGvmHCJwIlXLj/mssoXSkYiE3+UHLf+/l0Y/micP6TIxppU7hiDSTMcGrb

i9OlW3Fht7cj8SMpjOVkaQa/ZSnJiyEzCH765cArOV9yjDELqXDhx32v04h8r7r6

/3e55KxMgSwg6OAXG2EsFUcrkaXQ0SeiWlkfxWhLOiI2FeCQPTG7KqxINuRolaLB

KjCsO20VlHph8Ni6hvy7XQYSCUew3VXre24HO8ttAsHDRz/WqAw/AuLTmFYXhR2S

qB9VTcRCASgJPLcowe+mHdqnNFG72MlqdJh6mllsB6b2Jb7vpEAPjs7LaREsfCTn

/WKgy2H2DIARatAIGVVlwsDhruHC19wnR5qKoaOKbB2Xt3N3WB4=

=jq4X

—–END PGP SIGNATURE—–