In-Depth Analysis of React Server Components Vulnerabilities: CVE-2025-55184 and CVE-2025-55183

As of Early December 2025, the React ecosystem faced a series of security disclosures affecting React Server Components (RSC), a feature introduced in React 19 that enables server-side rendering and server functions in frameworks like Next.js. These vulnerabilities followed an initial critical remote code execution issue (CVE-2025-55182, dubbed "React2 Shell"), highlighting ongoing risks in the RSC payload deserialization process.

In this article we will focus on two significant follow-up vulnerabilities: CVE-2025-55184 (a high-severity denial-of-service attack) and CVE-2025-55183 (a medium-severity information disclosure flaw). Both stem from unsafe handling of crafted HTTP requests to server endpoints and affect widely used web applications.

CVE-2025-55184: Denial-of-Service via Microtask Starvation Overview and Severity CVE-2025-55184 is a pre-authentication denial-of-service (DoS) vulnerability in React Server Components

Attackers can send specially crafted RSC "Flight" payloads to trigger infinite processing, freezing the Node.js event loop and rendering the server unresponsive. It carries a CVSS score of 7.5 (High), with impacts on availability but no requirements for authentication or complex preconditions.

The issue affects React versions 19.0.0 through 19.2.2 (specific packages like react-server-dom-webpack, react-server-dom-turbopack, and variants), as well as Next.js versions using the App Router (13.3 and later, including 15.x and 16.x).

Let's dive deeper...

The vulnerability exploits the deserialization of RSC payloads, which serialize complex objects like Promises for transmission between client and server.In Node.js, the event loop prioritizes microtasks (e.g., Promise resolutions via .then()) over other operations. The flaw occurs in the lack of cycle detection or depth limiting during Promise deserialization.

An attacker crafts a payload with a cyclic Promise reference e.g., a Promise that resolves to itself or a chain looping back. During deserialization:

1. The parser encounters a fulfilled Promise and schedules a microtask to unwrap its value.

2. The value references the root object (or another in the cycle), triggering recursive scheduling of new microtasks.

3. The microtask queue never empties, starving the event loop of macrotasks (I/O, timers, network handling).

This "microtask starvation" differs from traditional CPU-bound loops: the process consumes minimal resources but becomes completely unresponsive, with open ports but no ability to handle new requests or health checks.

Example Payload A minimal exploiting payload (sent via POST to a vulnerable endpoint) might look like this simplified Flight structure:

json

{ "id": "root", "chunks": [], "value": { "$": "$Promise", "status": "fulfilled", "value": { "$": "$@root" } } }

Here, "$@root" creates a self-reference, initiating the infinite recursion.

Impact and Exploitation is straightforward and low-effort: a single small request (<1KB) can take a server offline indefinitely. No authentication is needed, and it works against any endpoint processing RSC Server Actions.

Post-disclosure scanning and exploitation surged, with millions of probes observed, some targeting critical infrastructure and government systems.

Note that an incomplete initial fix led to a related CVE-2025-67779.Mitigation Upgrade to patched versions:

• React: 19.0.3, 19.1.4, 19.2.3 or later.

• Next.js: 15.0.7+, 16.0.10+, or equivalent patched releases.

Some WAF providers (e.g., Cloudflare) deployed rules to block known exploit patterns.

CVE-2025-55183: Source Code Disclosure in Server Functions Overview and Severity CVE-2025-55183 enables unauthorized disclosure of server-side source code...By sending a crafted HTTP request to a vulnerable Server Function, an attacker can force the server to return the function's source code instead of executing it. Rated CVSS 5.3 (Medium), it primarily affects confidentiality.

Affected versions overlap with CVE-2025-55184, impacting the same React 19 packages and Next.js deployments using Server Functions.Technical Deep DiveServer Functions in RSC are server-only code invoked via client requests. The vulnerability arises when a function accepts arguments that undergo string coercion (e.g., via toString()).An attacker supplies an argument that coerces to a reference of another Server Function. When the server attempts to process or serialize this, it inadvertently returns the target function's source code as a string representation.

This bypasses intended isolation between client data and server logic, leaking potentially sensitive implementation details, API keys, or business logic.

Impact of Exploitation...

Successful exploitation reveals backend source code, enabling further attacks such as identifying additional vulnerabilities, extracting secrets, or crafting targeted exploits. Like the DoS issue, it requires no authentication and can be triggered remotely.

In combination with other leaks, this could escalate to severe compromises. The same upgrades as for CVE-2025-55184 resolve this issue. Framework maintainers integrated stricter type validation and serialization safeguards in patched releases.

Here's what we Recommend u Implement...

These vulnerabilities underscore the risks of complex serialization in server-client protocols. RSC adoption has grown rapidly in Next.js and other frameworks, amplifying the exposure, many production applications remained vulnerable weeks after disclosure.The disclosure timeline, coordinated by Meta (React's maintainer), allowed for patches but also triggered rapid scanning by threat actors.

Key Recommendations:

• Immediately audit and upgrade React/Next.js dependencies.

• Monitor for anomalous requests to RSC endpoints.

• Consider WAF rules or runtime protections for defense-in-depth.

• For new projects, adhere to React's security guidelines for Server Components.

Prompt patching remains the most effective defense against these and related RSC issues. As the web ecosystem evolves, such disclosures remind developers of the importance of secure deserialization practices.

As Always... Stay sharp, Stay ethical and Happy hacking⚡

If u found this article Valuable do copy the link and share it, email us your thoughts on the matter and U can also buy us Coffee on our Paypal --> Here 🎁