Critical React Server Components Vulnerabilities 2025: RCE, DoS, and Source Code Exposure

🚨 CRITICAL SECURITY ALERT - December 2025 🚨

Multiple critical security vulnerabilities were recently discovered in React Server Components (RSC), affecting React 19.x and frameworks like Next.js. These vulnerabilities are actively being exploited and require immediate action.

The Vulnerabilities: What You Need to Know

1. CVE-2025-55182: Remote Code Execution (RCE) - CRITICAL

Discovered: December 3, 2025

Severity: CRITICAL

Status: Actively Exploited

This is the most severe vulnerability. It allows unauthenticated remote code execution by exploiting unsafe deserialization of payloads sent to React Server Function endpoints.

Affected Versions:

• React 19.0.0
• React 19.1.0
• React 19.1.1
• React 19.2.0

Affected Packages:

• `react-server-dom-webpack`
• `react-server-dom-parcel`
• `react-server-dom-turbopack`

Affected Frameworks:

• Next.js (App Router)
• React Router
• Waku
• Parcel RSC
• Vite RSC
• Any framework using React Server Components

What This Means:

An attacker can send malicious payloads to your React Server Function endpoints and execute arbitrary code on your server. This is as bad as it gets—complete server compromise.

The Fix:

# IMMEDIATE ACTION REQUIRED - Upgrade React immediately

# For React 19.0.x
npm install react@19.0.1 react-dom@19.0.1

# For React 19.1.x
npm install react@19.1.2 react-dom@19.1.2

# For React 19.2.x
npm install react@19.2.1 react-dom@19.2.1

# Verify the update
npm list react react-dom

For Next.js Users:

# Next.js automatically uses React, so update React
npm install react@latest react-dom@latest

# Or update Next.js (which will update React)
npm install next@latest

# Verify Next.js version
npm list next

2. CVE-2025-55184 & CVE-2025-67779: Denial of Service (DoS)

Discovered: December 11, 2025

Severity: HIGH

These vulnerabilities can cause your server to hang, leading to a complete denial of service. While they don't allow code execution, they can bring down your entire application.

The Problem:

Malicious requests can be crafted to cause the React Server Components runtime to hang indefinitely, consuming server resources and making your application unavailable.

The Fix:

Same as above—upgrade to the patched versions:

• React 19.0.1
• React 19.1.2
• React 19.2.1

3. CVE-2025-55183: Source Code Exposure

Discovered: December 11, 2025

Severity: MEDIUM-HIGH

This vulnerability could expose compiled server functions, potentially revealing:

• Business logic
• Hardcoded secrets
• API keys
• Database connection strings
• Internal architecture details

The Risk:

While not as severe as RCE, exposed source code can give attackers valuable information for further exploitation.

The Fix:

Upgrade to patched versions immediately.

How to Check If You're Affected

Check Your React Version:

npm list react react-dom

# Or check package.json
cat package.json | grep -A 2 '"react"'

If you see:

• `"react": "^19.0.0"` or `"react": "19.0.0"` → **VULNERABLE**
• `"react": "^19.1.0"` or `"react": "19.1.0"` → **VULNERABLE**
• `"react": "^19.1.1"` or `"react": "19.1.1"` → **VULNERABLE**
• `"react": "^19.2.0"` or `"react": "19.2.0"` → **VULNERABLE**

You need:

• `"react": "^19.0.1"` or higher
• `"react": "^19.1.2"` or higher
• `"react": "^19.2.1"` or higher

Immediate Action Steps

Step 1: Update React (URGENT)

# Stop your application first
# Then update React

npm install react@latest react-dom@latest

# Or specify exact version
npm install react@19.2.1 react-dom@19.2.1

# Clear cache and reinstall
rm -rf node_modules package-lock.json
npm install

Step 2: Update Next.js (If Using)

npm install next@latest

# Verify Next.js updated React
npm list react react-dom

Step 3: Test Your Application

# Run your application
npm run dev

# Test React Server Components
# Make sure server actions still work
# Check server function endpoints

Step 4: Audit Dependencies

# Check for other vulnerable dependencies
npm audit

# Fix automatically where possible
npm audit fix

# For critical vulnerabilities, review manually
npm audit --audit-level=high

Understanding React Server Components Vulnerabilities

What Are React Server Components?

React Server Components (RSC) allow you to render components on the server, reducing client-side JavaScript and improving performance. They're a core feature of Next.js App Router.

Example of RSC:

// app/users/page.tsx (Next.js App Router)
async function UsersPage() {
  // This runs on the server
  const users = await fetch('https://api.example.com/users').then(r => r.json());
  
  return (
    <div>
      {users.map(user => (
        <div key={user.id}>{user.name}</div>
      ))}
    </div>
  );
}

Why Are RSC Vulnerable?

The vulnerabilities stem from how React Server Components handle serialization and deserialization of data between server and client. The unsafe deserialization allows malicious payloads to execute code.

The Attack Vector:

1. Attacker sends malicious payload to React Server Function endpoint

2. React deserializes the payload unsafely

3. Malicious code executes on the server

4. Attacker gains control of your server

Additional Security Measures

1. Implement Rate Limiting

Even after patching, implement rate limiting on your server function endpoints:

// middleware.ts (Next.js)
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

const rateLimitMap = new Map();

export function middleware(request: NextRequest) {
  const ip = request.ip || 'unknown';
  const limit = 10; // requests per minute
  const window = 60000; // 1 minute
  
  const now = Date.now();
  const userRequests = rateLimitMap.get(ip) || [];
  
  // Remove old requests
  const recentRequests = userRequests.filter(
    (time: number) => now - time < window
  );
  
  if (recentRequests.length >= limit) {
    return new NextResponse('Too many requests', { status: 429 });
  }
  
  recentRequests.push(now);
  rateLimitMap.set(ip, recentRequests);
  
  return NextResponse.next();
}

export const config = {
  matcher: '/api/:path*',
};

2. Validate All Server Function Inputs

// app/actions.ts
'use server';

import { z } from 'zod';

const userSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
});

export async function createUser(formData: FormData) {
  // Validate input before processing
  const result = userSchema.safeParse({
    name: formData.get('name'),
    email: formData.get('email'),
  });
  
  if (!result.success) {
    return { error: 'Invalid input' };
  }
  
  // Process validated data
  // ...
}

3. Use Environment Variables for Secrets

Never hardcode secrets in server components:

// BAD
const API_KEY = 'sk_live_1234567890';

// GOOD
const API_KEY = process.env.API_KEY;
if (!API_KEY) {
  throw new Error('API_KEY is not set');
}

4. Monitor for Suspicious Activity

// Add logging to server functions
'use server';

export async function serverAction(data: unknown) {
  // Log all server function calls
  console.log('Server action called:', {
    timestamp: new Date().toISOString(),
    data: typeof data,
    // Don't log sensitive data
  });
  
  // Implement your logic
  // ...
}

Impact Assessment

Who Is Affected?

• ✅ **Next.js App Router users** - High risk
• ✅ **React 19.x users with Server Components** - High risk
• ✅ **Any application using React Server Functions** - High risk
• ⚠️ **Next.js Pages Router** - Lower risk (but still update)
• ⚠️ **React 18.x and below** - Not directly affected, but update anyway

What Should You Do Right Now?

1. STOP - Don't panic, but act quickly

2. CHECK - Verify your React version

3. UPDATE - Upgrade to patched versions immediately

4. TEST - Ensure your app still works

5. MONITOR - Watch for suspicious activity

6. AUDIT - Check all dependencies

Timeline of Events

• **December 3, 2025:** CVE-2025-55182 (RCE) discovered and disclosed
• **December 3, 2025:** React Team releases patches (19.0.1, 19.1.2, 19.2.1)
• **December 11, 2025:** Additional vulnerabilities discovered (DoS, Source Code Exposure)
• **December 11, 2025:** Additional patches released
• **Ongoing:** Active exploitation detected

Official Resources

• [React Security Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
• [Next.js Security Advisory](https://nextjs.org/blog/CVE-2025-66478)
• [React GitHub Security](https://github.com/facebook/react/security)

Prevention for the Future

1. Subscribe to security advisories - Follow React and Next.js security channels

2. Enable Dependabot - Automatic security updates

3. Regular audits - Run npm audit weekly

4. Stay updated - Don't fall behind on updates

5. Monitor dependencies - Use tools like Snyk

Conclusion

These React Server Components vulnerabilities are CRITICAL and require immediate action. The Remote Code Execution vulnerability (CVE-2025-55182) is actively being exploited, meaning attackers are already using it.

Do not delay. Update your React and Next.js installations immediately. The patches are available and tested. There's no reason to remain vulnerable.

Remember:

• ✅ Update React to 19.0.1, 19.1.2, or 19.2.1
• ✅ Update Next.js if you're using it
• ✅ Test your application after updating
• ✅ Monitor for suspicious activity
• ✅ Implement additional security measures

Security is not optional. Your users' data and your server's integrity depend on taking action now.