The React team disclosed three new vulnerabilities in React Server Components (RSC), a framework feature enabling server-side rendering and component streaming. The first two vulnerabilities, CVE-2025-55184 and CVE-2025-67779 (both CVSS 7.5), are denial-of-service (DoS) flaws caused by unsafe deserialization of HTTP request payloads sent to Server Function endpoints. This unsafe deserialization triggers infinite loops that hang the server process, effectively denying service and preventing the handling of subsequent HTTP requests. The third vulnerability, CVE-2025-55183 (CVSS 5.3), is an information leak that allows an attacker to retrieve the source code of Server Functions by sending specially crafted HTTP requests. This leak requires the presence of Server Functions that expose arguments converted into string format, which may not be present in all deployments. These vulnerabilities affect multiple versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack ranging from 19.0.0 to 19.2.2, with patches released in versions 19.0.3, 19.1.4, and 19.2.3. The issues were discovered during attempts to exploit an earlier critical vulnerability, CVE-2025-55182 (CVSS 10.0), which has been weaponized in the wild. The React team credits security researchers RyotaK, Shinsaku Nomura, and Andrew MacPherson for reporting these flaws. The vulnerabilities allow unauthenticated attackers to disrupt service or gain unauthorized access to source code, posing significant risks to confidentiality and availability. The React team emphasizes the importance of rapid patching and notes that additional disclosures reflect a healthy security response cycle. No known exploits are currently active for these new vulnerabilities, but active exploration of the prior critical bug increases urgency for remediation.

For European organizations, these vulnerabilities pose significant risks. The DoS flaws can disrupt critical web services by causing server processes to hang indefinitely, leading to downtime and degraded user experience. This is particularly impactful for sectors relying on high availability such as e-commerce, finance, healthcare, and public services. The information disclosure vulnerability threatens intellectual property and sensitive business logic confidentiality by exposing source code, which could facilitate further attacks or competitive disadvantage. Organizations using affected React Server Component versions in production environments are vulnerable to unauthenticated remote attacks, increasing the attack surface. Given React's widespread adoption in Europe, especially in technology-driven economies, the potential for service disruption and data leakage is substantial. The vulnerabilities could also undermine customer trust and lead to regulatory compliance issues under GDPR if sensitive data exposure occurs. The absence of known exploits currently provides a window for mitigation, but the weaponization of the related CVE-2025-55182 suggests attackers may soon target these new flaws.

European organizations should immediately update all affected React Server Component packages to the patched versions 19.0.3, 19.1.4, or 19.2.3 depending on their deployment. Beyond patching, developers should audit Server Functions to ensure no arguments are implicitly or explicitly converted to string formats that could be exploited for source code disclosure. Implement strict input validation and sanitization on all HTTP request payloads to prevent unsafe deserialization. Employ runtime monitoring and anomaly detection to identify unusual request patterns indicative of exploitation attempts, such as repeated requests triggering infinite loops. Use rate limiting and web application firewalls (WAFs) to mitigate potential DoS attacks. Conduct thorough security testing and code reviews focusing on deserialization logic and Server Function exposure. Maintain an incident response plan tailored to web application DoS and information disclosure scenarios. Finally, keep abreast of React security advisories and community reports to respond swiftly to emerging threats related to RSC.