惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
人人都是产品经理
人人都是产品经理
IT之家
IT之家
Cyberwarzone
Cyberwarzone
T
Troy Hunt's Blog
有赞技术团队
有赞技术团队
阮一峰的网络日志
阮一峰的网络日志
T
Threat Research - Cisco Blogs
S
SegmentFault 最新的问题
Apple Machine Learning Research
Apple Machine Learning Research
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 叶小钗
Last Week in AI
Last Week in AI
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
Jina AI
Jina AI
T
Tor Project blog
V
Vulnerabilities – Threatpost
酷 壳 – CoolShell
酷 壳 – CoolShell
Spread Privacy
Spread Privacy
博客园_首页
C
Cybersecurity and Infrastructure Security Agency CISA
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog
Security Latest
Security Latest
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 司徒正美
V2EX - 技术
V2EX - 技术
I
Intezer
The Cloudflare Blog
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
博客园 - 【当耐特】
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
Lohrmann on Cybersecurity
Scott Helme
Scott Helme
Google Online Security Blog
Google Online Security Blog
量子位
The Last Watchdog
The Last Watchdog
AI
AI
Application and Cybersecurity Blog
Application and Cybersecurity Blog
S
Security Affairs
P
Palo Alto Networks Blog
S
Secure Thoughts
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Attack and Defense Labs
Attack and Defense Labs

React Blog

The React Foundation: A New Home for React Hosted by the Linux Foundation – React Critical Security Vulnerability in React Server Components – React React Conf 2025 Recap – React Introducing the React Foundation – React React Compiler v1.0 – React React 19.2 – React React Labs: View Transitions, Activity, and more – React Sunsetting Create React App – React React v19 – React React Compiler Beta Release – React React Conf 2024 Recap – React React 19 Upgrade Guide – React React Labs: What We've Been Working On – February 2024 – React React Canaries: Enabling Incremental Feature Rollout Outside Meta – React React Labs: What We've Been Working On – March 2023 – React Introducing react.dev – React React Labs: What We've Been Working On – June 2022 – React React v18.0 – React How to Upgrade to React 18 – React React Conf 2021 Recap – React The Plan for React 18 – React Introducing Zero-Bundle-Size React Server Components – React
Denial of Service and Source Code Exposure in React Server Components – React
2025-12-11 · via React Blog

December 11, 2025 by The React Team

Updated January 26, 2026.


Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability.

These new vulnerabilities do not allow for Remote Code Execution. The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit.


The new vulnerabilities are disclosed as:

We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.

Note

The patches published earlier are vulnerable.

If you already updated for the previous vulnerabilities, you will need to update again.

If you updated to 19.0.3, 19.1.4, and 19.2.3, these are incomplete, and you will need to update again.

Please see the instructions in the previous post for upgrade steps.


Updated January 26, 2026.

Further details of these vulnerabilities will be provided after the rollout of the fixes are complete.

Immediate Action Required

These vulnerabilities are present in the same packages and versions as CVE-2025-55182.

This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2, and 19.2.3 of:

Fixes were backported to versions 19.0.4, 19.1.5, and 19.2.4. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

Note

It’s common for critical CVEs to uncover follow‑up vulnerabilities.

When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.

This pattern shows up across the industry, not just in JavaScript. For example, after Log4Shell, additional CVEs (1, 2) were reported as the community probed the original fix.

Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.

Affected frameworks and bundlers

Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vite/rsc-plugin, and rwsdk.

Please see the instructions in the previous post for upgrade steps.

Hosting Provider Mitigations

As before, we have worked with a number of hosting providers to apply temporary mitigations.

You should not depend on these to secure your app, and still update immediately.

React Native

For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

If you are using React Native in a monorepo, you should update only the impacted packages if they are installed:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native.

See this issue for more information.


High Severity: Multiple Denial of Service

CVEs: CVE-2026-23864 Base Score: 7.5 (High) Date: January 26, 2026

Security researchers discovered additional DoS vulnerabilities still exist in React Server Components.

The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.

The patches published January 26th mitigate these DoS vulnerabilities.

Note

Additional fixes published

The original fix addressing the DoS in CVE-2025-55184 was incomplete.

This left previous versions vulnerable. Versions 19.0.4, 19.1.5, 19.2.4 are safe.


Updated January 26, 2026.


High Severity: Denial of Service

CVEs: CVE-2025-55184 and CVE-2025-67779 Base Score: 7.5 (High)

Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment.

The patches published today mitigate by preventing the infinite loop.

Medium Severity: Source Code Exposure

CVE: CVE-2025-55183 Base Score: 5.3 (Medium)

A security researcher has discovered that a malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument:

'use server';

export async function serverFunction(name) {

const conn = db.createConnection('SECRET KEY');

const user = await conn.createUser(name); // implicitly stringified, leaked in db

return {

id: user.id,

message: `Hello, ${name}!` // explicitly stringified, leaked in reply

}}

An attacker may be able to leak the following:

0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"}

1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"}

The patches published today prevent stringifying the Server Function source code.

Note

Only secrets in source code may be exposed.

Secrets hardcoded in source code may be exposed, but runtime secrets such as process.env.SECRET are not affected.

The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides.

Always verify against production bundles.


Timeline

  • December 3rd: Leak reported to Vercel and Meta Bug Bounty by Andrew MacPherson.
  • December 4th: Initial DoS reported to Meta Bug Bounty by RyotaK.
  • December 6th: Both issues confirmed by the React team, and the team began investigating.
  • December 7th: Initial fixes created and the React team began verifying and planning new patch.
  • December 8th: Affected hosting providers and open source projects notified.
  • December 10th: Hosting provider mitigations in place and patches verified.
  • December 11th: Additional DoS reported to Meta Bug Bounty by Shinsaku Nomura.
  • December 11th: Patches published and publicly disclosed as CVE-2025-55183 and CVE-2025-55184.
  • December 11th: Missing DoS case found internally, patched and publicly disclosed as CVE-2025-67779.
  • January 26th: Additional DoS cases found, patched, and publicly disclosed as CVE-2026-23864.

Attribution

Thank you to Andrew MacPherson (AndrewMohawk) for reporting the Source Code Exposure, RyotaK from GMO Flatt Security Inc and Shinsaku Nomura of Bitforest Co., Ltd. for reporting the Denial of Service vulnerabilities. Thank you to Mufeed VH from Winfunc Research, Joachim Viide, RyotaK from GMO Flatt Security Inc and Xiangwei Zhang of Tencent Security YUNDING LAB for reporting the additional DoS vulnerabilities.