Elvory logoElvory

Security update

Denial of Service and Source Code Exposure in React Server Components

Published December 11, 2025. Updated January 26, 2026 with additional DoS findings and fixed versions.

Immediate action required

New vulnerabilities were disclosed while testing the earlier fix. They do not enable remote code execution, but you should upgrade immediately.

  • DoS (High, CVSS 7.5): CVE-2025-55184, CVE-2025-67779, CVE-2026-23864
  • Source code exposure (Medium, CVSS 5.3): CVE-2025-55183
  • React2Shell mitigation remains effective; no RCE in these findings
  • Previous patches (19.0.3, 19.1.4, 19.2.3) are incomplete and must be updated again

Affected packages and fixed versions

The vulnerabilities are present in the React Server Components packages for Webpack, Parcel, and Turbopack.

  • Packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
  • Vulnerable: 19.0.0โ€“19.0.3, 19.1.0โ€“19.1.3, 19.2.0โ€“19.2.3
  • Fixed: 19.0.4, 19.1.5, 19.2.4

Who is affected

If your app runs React Server Components or Server Functions, you are impacted. Apps without a React server are not.

  • Affected frameworks/bundlers include next, react-router, waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk
  • If you do not use a framework or bundler that supports RSC, you are not affected
  • React Native monorepos should update only the impacted packages if installed

Denial of Service details

Specially crafted HTTP requests to Server Function endpoints can trigger infinite loops, crashes, high CPU usage, or out-of-memory errors. The January 26, 2026 patches close remaining DoS paths.

  • High severity (CVSS 7.5)
  • Applies even if you do not explicitly define Server Functions but use RSC
  • Earlier DoS fix for CVE-2025-55184 was incomplete

Source code exposure details

A malicious request could cause a Server Function to return its own source when arguments are stringified. Only source code secrets are at risk.

  • Medium severity (CVSS 5.3)
  • Runtime secrets (e.g., process.env) are not exposed
  • Scope is limited to the Server Function and any inlined helpers

Mitigations, rollout, and timeline

Hosting providers applied temporary mitigations, but they are not a substitute for upgrading. Follow-up CVEs are common after critical disclosures.

  • Dec 3โ€“11, 2025: initial reports, fixes, and disclosures published
  • Jan 26, 2026: additional DoS cases found and patched (CVE-2026-23864)
  • Thanks to the researchers who reported the issues (Andrew MacPherson, RyotaK, Shinsaku Nomura, and others)

Need help auditing your React stack?

We can review dependencies, upgrade steps, and rollout risk.

Book a consult

Related

Services

Voice Agent and automation services overview.

AI Automation

Automate lead flow, ops and admin with AI workflows.

Contact

Book a demo or ask a question.