The React team has disclosed new security vulnerabilities in React Server Components (RSC), following the previous critical RCE patch. These vulnerabilities, categorized as Denial of Service (DoS) and Source Code Exposure, pose significant risks to applications using RSC. Immediate action is required for all affected projects. The official disclosure can be found on the React blog as the primary source.

Server security shield with React logo Software Concept Art

🔥 Vulnerability Summary and Affected Versions

The newly disclosed issues fall into two categories: high-severity DoS attacks and a medium-severity source code leak.

Vulnerability TypeCVE IDCVSS ScoreSeverityPrimary Impact
Denial of ServiceCVE-2025-55184, CVE-2025-677797.5HighServer process hang, excessive CPU usage
Denial of ServiceCVE-2026-238647.5HighServer crash, out-of-memory exceptions
Source Code ExposureCVE-2025-551835.3MediumServer Function source code leak

Affected Packages & Versions: Versions 19.0.0 through 19.2.3 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack are vulnerable.

Immediate Upgrade Target: Update to version 19.0.4, 19.1.5, or 19.2.4 and above.

Data center server rack with warning sign IT Technology Image

🛡️ Action Guide for Developers

  1. Check Dependencies and Update:

    // Example package.json
{
  "dependencies": {
    // Update to one of these safe versions immediately.
    "react-server-dom-webpack": "^19.2.4",
    "react-server-dom-turbopack": "^19.2.4"
    // react and react-dom can remain at their current versions to avoid mismatch errors.
  }
}

    Run npm update or yarn upgrade in your terminal.

  2. Framework Users: If you're using Next.js, React Router, Waku, or other affected frameworks, ensure they are also updated to their latest versions.

  3. React Native Users: No action is needed if you're not using a monorepo. In a monorepo, only update the vulnerable server packages listed above.

  4. Hosting Provider Mitigations: Major providers like Vercel have applied temporary mitigations, but you should not rely on them. Apply the patches directly.

Web development code on screen with lock icon Coding Session Visual

💡 Conclusion and Key Takeaways

These vulnerabilities highlight the risks associated with deserializing untrusted data in Server Components. The DoS vectors can cripple server availability, making immediate patching the most critical step.

While apps not using Server Components are unaffected, indirect risk exists if your framework or bundler supports RSC. After applying the patches, enhance your server monitoring to detect anomalies promptly. Remember, security is an ongoing process, not a one-time update.