Two New React Server Components Vulnerabilities and How to Fix Them
Two new security issues were recently discovered in React Server Components, affecting frameworks like Next.js that use the App Router. The vulnerabilities were found through community research following the React2Shell incident. There’s no evidence they’ve been exploited, but they can still cause real problems if left unpatched. This post breaks down what went wrong and what you should do next.
New React Server Components Security Issues: What You Need to Know
I recently received an email from the Vercel Security Team about new vulnerabilities found in React Server Components. Since this affects Next.js and the App Router, I wanted to share a clear breakdown of what the email said, why it matters, and what actions developers should take. Below is the email summary and my notes on the issues and the fixes.
Two new security issues were recently found in React Server Components (RSC). They affect frameworks that use RSC, including Next.js with the App Router.
These findings came out of continued community research after the React2Shell incident. An external security researcher reported the issues through the Vercel and Meta bug bounty programs.
The good news first:
There’s no sign these vulnerabilities have been exploited.
Still, they’re real issues, and they’re worth fixing properly.
What Was Discovered
CVE-2025-55184 — Denial of Service (High Severity)
What’s going on
A specially crafted HTTP request sent to any App Router endpoint can cause the server to get stuck and burn CPU.
This happens during the deserialization of RSC requests. Once triggered, the server process can hang and stop responding.
An earlier fix tried to address this, but it didn’t fully cover all payload types. That’s why a follow-up issue was later tracked as CVE-2025-67779.
Why it matters
- No auth is required
- Any App Router endpoint can be targeted
- The server can become unresponsive
- This affects all versions that handle RSC requests
In short, a single bad request can take your server down.
CVE-2025-55183 — Source Code Exposure (Medium Severity)
What’s going on
Another crafted request can cause an App Router endpoint to return the compiled source code of Server Actions.
This doesn’t expose environment variables or secrets by default. But it can reveal internal logic and implementation details.
Why it matters
- Business logic can be exposed
- Internal behavior becomes visible
- Secrets are only leaked if they’re hardcoded (which they shouldn’t be)
Even without secrets, leaking code is still not something you want.
Has Anyone Been Attacked?
At this point, no.
There’s no evidence these vulnerabilities have been used in real attacks. But they are practical to exploit, which is why they were treated seriously.
What You Should Do Now
1. Update to the Latest Version
Even if you already patched your app during the React2Shell incident, you still need to update.
The earlier fixes are not enough.
- Upgrade Next.js to the latest patched release
- Make sure your deployment is actually running that version
- Don’t rely on partial or older mitigations
2. Take a Quick Look at Your Server Actions
This is a good reminder to:
- Never hardcode secrets in Server Actions
- Keep sensitive logic behind proper backend boundaries
- Assume Server Action code could be inspected if something goes wrong
Most teams already do this, but it’s worth double-checking.
3. Keep an Eye on the Security Bulletin
Vercel will continue to post updates and guidance in the React2Shell Security Bulletin.
If more related issues show up, that’s where they’ll be documented first.
Final Thoughts
React Server Components unlock a lot of power, but they also move more responsibility into the framework layer. When something breaks there, the impact can be wide.
The fix here is simple: update, verify, and move on.
And as always, the security team has committed to transparent and timely disclosures as new information comes in.
Share This Post
Latest Posts
Related Posts
Technologies
