Multiple vulnerabilities (CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183) have been discovered in React Server Components (RSC) that could allow attackers to disrupt application services or access server-side code.

Affected Systems

• React and related Server packages: versions 19.0.0 to 19.2.2 (includes react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack).

Security Risks

Exploitation of these vulnerabilities may enable attackers to significantly disrupt application availability and potentially expose sensitive server‑side source code.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends the following actions:

• For the affected React server packages, update react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to the patched versions: 19.0.3, 19.1.4, and 19.2.3.

• Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• Denial of Service and Source Code Exposure in React Server Components

• New React RSC Vulnerabilities Enable DoS and Source Code Exposure