New React Server Components Vulnerabilities: DoS and Source Code Exposure

Security researchers have identified two additional vulnerabilities in React Server Components (RSC) following the recent React2Shell disclosure, necessitating further updates despite the existing RCE patch. These vulnerabilities include a denial of service, CVE-2025-55184 and CVE-2025-67779, which can lead to server process hanging due to an infinite loop during deserialization, and source code exposure, CVE-2025-55183, which could reveal compiled source code but does not affect runtime secrets. These issues impact packages like react-server-dom-webpack and frameworks such as Next.js and Vite RSC plugin, with affected versions ranging from 19.0.0 to 19.2.2. React has released updated package versions, and framework authors have published patched releases to address these vulnerabilities. Affected teams are advised to upgrade immediately and review their projects for vulnerable package implementations, especially those incorporating hardcoded secrets in Server Functions, to ensure system integrity and security.