Upgrade react-server-dom-webpack from 19.0.1 to 19.0.3 to fix DoS and Source Code Exposure vulnerabilities (CVE-2025-55184, CVE-2025-67779, CVE-2025-55183) #2223
Description
Summary
React Server Components security vulnerabilities were disclosed on December 11, 2025 that are separate from CVE-2025-55182 (which was fixed in PR #2175). These new vulnerabilities affect the react-server-dom-webpack package and require an upgrade from version 19.0.1 to 19.0.3.
Vulnerabilities
1. Denial of Service (DoS) via Infinite Loop
- CVEs: CVE-2025-55184, CVE-2025-67779
- Severity: High (CVSS 7.5)
- Affected Versions: 19.0.0–19.0.2, 19.1.0–19.1.2, 19.2.0–19.2.1
- Fixed In: 19.0.3, 19.1.4, 19.2.3
Description: A malicious HTTP request sent to any Server Functions endpoint can cause an infinite loop that hangs the server process and consumes CPU resources. No special privileges or authentication required.
Attack Vector:
- Crafted malicious HTTP requests to Server Functions endpoints
- When deserialized by React, triggers infinite loop
- Network-accessible (CVSS 7.5)
2. Source Code Exposure
- CVE: CVE-2025-55183
- Severity: Medium (CVSS 5.3)
- Affected Versions: 19.0.0–19.0.2, 19.1.0–19.1.3, 19.2.0–19.2.2
- Fixed In: 19.0.3, 19.1.4, 19.2.3
Description: Malicious HTTP requests to vulnerable Server Functions can return the source code of any Server Function.
Exploitation Requirements:
- Requires Server Function with stringified arguments
- Exposed data includes:
- Source code inside Server Functions
- Hardcoded secrets in source code
- Potentially other inlined functions
What Cannot Be Exposed:
- Runtime secrets (e.g.,
process.env.SECRET) - Code outside Server Functions
Current Status
- ✅ CVE-2025-55182 (RCE): Fixed in PR Fix CVE-2025-55182 - React Server Components RCE Vulnerability #2175 (react 19.0.1)
- ❌ CVE-2025-55184 (DoS): Vulnerable - requires upgrade to 19.0.3
- ❌ CVE-2025-67779 (DoS incomplete fix): Vulnerable - requires upgrade to 19.0.3
- ❌ CVE-2025-55183 (Source Code Exposure): Vulnerable - requires upgrade to 19.0.3
Impact
The project includes a copy of react-server-dom-webpack in src/react-server-dom-webpack/ which is currently at version 19.0.1. This needs to be upgraded to 19.0.3.
Files affected:
src/react-server-dom-webpack/package.json(version field)- All compiled bundles in
src/react-server-dom-webpack/cjs/andsrc/react-server-dom-webpack/esm/
Key Changes in 19.0.3
- Added cycle protection to prevent infinite loops in thenable handling
- Masked server function source code when stringified (returns
"function () { [omitted code] }") - Added "then" key protection to prevent prototype pollution attacks
Timeline
| Date | Event |
|---|---|
| Dec 3 | Source code exposure reported |
| Dec 4 | Initial DoS reported |
| Dec 6 | Both issues confirmed by React team |
| Dec 7 | Initial fixes created |
| Dec 8 | PR #2175 merged (CVE-2025-55182 RCE fix) |
| Dec 10 | Hosting mitigations in place |
| Dec 11 | Patches published; CVEs disclosed (19.0.3 released) |
References
- React Blog: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
- CVE-2025-55184: https://www.cve.org/CVERecord?id=CVE-2025-55184
- CVE-2025-67779: https://www.cve.org/CVERecord?id=CVE-2025-67779
- CVE-2025-55183: https://www.cve.org/CVERecord?id=CVE-2025-55183
To Do
- Update
src/react-server-dom-webpack/to 19.0.3 - Verify all security fixes are included in bundled files
- Run full test suite
- Update CHANGELOG.md
- Create PR and verify CI passes