React RSC: Update Now to Patch DoS and Source Leak (CVE-2025-55184, -55183)

Read Articleadded Dec 12, 2025
React RSC: Update Now to Patch DoS and Source Leak (CVE-2025-55184, -55183)

React disclosed two new RSC vulnerabilities: a DoS that can hang servers and a source code exposure that can leak Server Function code when arguments are stringified. They do not enable RCE, but last week’s patches are insufficient and must be updated. Upgrade react-server-dom-{webpack,parcel,turbopack} to 19.0.2, 19.1.3, or 19.2.2 immediately; hosting mitigations are temporary.

Key Points

  • Two new RSC CVEs: DoS (CVE-2025-55184, High) and Source Code Exposure (CVE-2025-55183, Medium); no new RCE.
  • Immediate upgrade required: react-server-dom-{webpack,parcel,turbopack} to 19.0.2, 19.1.3, or 19.2.2.
  • DoS via crafted request can cause an infinite loop on deserialization, potentially affecting any RSC-enabled app.
  • Source code exposure occurs when a Server Function stringifies arguments, potentially leaking hardcoded secrets (not runtime env secrets).
  • Frameworks/bundlers like Next.js, React Router, Waku, Parcel RSC, Vite RSC plugin, and rwsdk are affected; hosting mitigations exist but are not sufficient.

Sentiment

The overall sentiment of the Hacker News discussion is largely negative towards React Server Components (RSC) and the Next.js App Router. While there's a practical acceptance of the vulnerabilities needing to be fixed and some acknowledgement of the disclosure process, the vast majority of comments express strong dissatisfaction with the complexity, lack of predictability, and perceived architectural flaws of RSC, often advocating for alternative frameworks or older, simpler approaches. The community generally agrees that the vulnerabilities are serious but uses them as further evidence against the fundamental design choices of RSC.

In Agreement

  • The vulnerabilities highlight real security concerns that require immediate attention and upgrades, which many users acknowledged and acted upon.
  • The sentiment that follow-up CVEs are common after a critical disclosure, as stated by the React team, is understood and seen as a sign of healthy scrutiny within the security community.
  • Acknowledgement that the bugs exist in the serialization/deserialization protocol due to JavaScript's dynamic nature, rather than an implicit client/server split, aligning with the article's technical detail.
  • Appreciation for clear disclosure and responsive communication from the React team regarding the vulnerabilities and mitigation steps, especially after initial feedback.

Opposed

  • React Server Components (RSC) and the Next.js App Router introduce excessive complexity and blur the line between client and server code, making it difficult to understand where code runs and increasing the risk of security vulnerabilities.
  • Many users prefer the simpler mental model of the older Next.js Pages Router or other frameworks/architectures that maintain a clear separation of concerns between frontend and backend.
  • The perceived benefits of RSC (e.g., performance, avoiding REST/GraphQL) are often outweighed by the increased complexity, reduced maintainability, and security risks, particularly for common 'app' use cases.
  • Criticism that the React team and Vercel are pushing experimental or overly complex features, driven by financial incentives or internal Meta patterns, without sufficient documentation or consideration for broad developer experience, and that this leads to instability and repeated security issues.
  • The vulnerabilities reinforce the argument against isomorphic JavaScript/TypeScript approaches that aim to unify client and server codebases, suggesting that such designs inherently increase the likelihood of security contamination.
React RSC: Update Now to Patch DoS and Source Leak (CVE-2025-55184, -55183)