Heads up, React developers! The React team just announced two new vulnerabilities in React Server Components that could lead to a denial of service or expose your source code. If you are using React Server Components in production, you should patch your application immediately.
This article covers the general React vulnerabilities and the specific impact on Next.js.
Here’s a breakdown of what you need to know.
The Vulnerabilities (React)
The two vulnerabilities are:
- Denial of Service (DoS) - High Severity (CVSS 7.5, CVE-2025-55184)
- Source Code Exposure - Medium Severity (CVSS 5.3, CVE-2025-55183)
Denial of Service (DoS)
A specially crafted HTTP request can trigger an infinite loop on your server. This will cause the server to become unresponsive, leading to a denial of service for your users. This is a high-severity vulnerability, and you should address it immediately.
Source Code Exposure
This vulnerability allows a malicious actor to potentially access the source code of your Server Functions. By sending a specially crafted HTTP request, they could expose your code, including any hardcoded secrets or other sensitive information. This is a medium-severity vulnerability but can have serious consequences.
Are You Affected? (React)
You are affected by these vulnerabilities if you are using React Server Components. This includes frameworks and bundlers such as:
- Next.js
- react-router
- Waku
- @parcel/rsc
- @vite/rsc-plugin
- rwsdk
If you are not using a server or your application does not support React Server Components, you are not affected.
The Fix (React)
The React team has released patched versions of the following packages:
-
react-server-dom-webpack -
react-server-dom-parcel -
react-server-dom-turbopack
You should immediately upgrade to the latest versions (19.0.3, 19.1.4, 19.2.3) to patch these vulnerabilities.
For React Native developers, the React team has provided specific instructions for updating the impacted packages in your monorepo.
What to Do Now (React)
- Check if you are affected: Determine if your application uses React Server Components.
- Upgrade your dependencies: If you are affected, upgrade your
react-server-dom-*packages to the latest patched versions. - Audit your code: Even after patching, it’s a good practice to audit your code for any hardcoded secrets and move them to a secure location.
Next.js Specific Information (Update)
The Next.js team has released a security update addressing the downstream impact of the React Server Component vulnerabilities on applications using the App Router.
Important Note: The initial fix for the Denial of Service vulnerability (CVE-2025-55184) was incomplete. A complete fix has been issued under CVE-2025-67779. If you previously upgraded, you must upgrade again to the latest patched versions.
Affected and Fixed Next.js Versions
Your Next.js application is affected if you are using the App Router. The Pages Router is not affected.
Here are the patched versions you need to upgrade to:
| Version | Fixed In |
|---|---|
| >=13.3 | 14.2.35 |
| 14.x | 14.2.35 |
| 15.0.x | 15.0.7 |
| 15.1.x | 15.1.11 |
| 15.2.x | 15.2.8 |
| 15.3.x | 15.3.8 |
| 15.4.x | 15.4.10 |
| 15.5.x | 15.5.9 |
| 15.x canary | 15.6.0-canary.60 |
| 16.0.x | 16.0.10 |
| 16.x canary | 16.1.0-canary.19 |
Required Action for Next.js Users
All users should upgrade to the latest patched version for their release line. There is no workaround.
You can use npm or yarn to install the patched version, for example:
npm install next@14.2.35 # for 14.x
npm install next@15.0.7 # for 15.0.x
npm install next@15.1.11 # for 15.1.x
npm install next@15.2.8 # for 15.2.x
npm install next@15.3.8 # for 15.3.x
npm install next@15.4.10 # for 15.4.x
npm install next@15.5.9 # for 15.5.x
npm install next@16.0.10 # for 16.0.x
npm install next@15.6.0-canary.60 # for 15.x canary releases
npm install next@16.1.0-canary.19 # for 16.x canary releases
Alternatively, you can use the interactive fix-react2shell-next tool to check your version and perform the upgrade:
npx fix-react2shell-next
Reference links:
Top comments (0)