"In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server Function source code, so anyone using RSC or frameworks that support it should patch quickly. The latest vulnerabilities - two high-severity denial-of-service bugs tracked as CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5), and a source-code exposure flaw tracked as CVE-2025-55183 (CVSS 5.3) - were found by security researchers attempting to poke holes in the patch for the earlier maximum-severity React flaw that is under active exploitation."
"The high-severity, denial-of-service bugs (CVE-2025-55184 and CVE-2025-67779) can be exploited by sending a specially crafted HTTP request to any server function endpoint, causing an infinite loop that hangs the server process and consumes CPU. "This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment," according to the React team."
Three new vulnerabilities affect React Server Components and related frameworks: two high-severity denial-of-service flaws (CVE-2025-55184 and CVE-2025-67779, CVSS 7.5) and a medium-severity source-code exposure (CVE-2025-55183, CVSS 5.3). The DoS bugs allow an attacker to send a crafted HTTP request to a server function endpoint, trigger an infinite loop, hang the server process, and consume CPU, potentially denying service and degrading performance. The source-code exposure requires a specific server function that converts an argument to string form and can leak hardcoded secrets; runtime environment variables are not affected. Researchers RyotaK and Shinsaku Nomura reported the DoS bugs; Andrew MacPherson found the secrets leak. All three CVEs exist in the same packages.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]