React Server Component Vulnerabilities: DoS and Code Exposure

Description

The sources primarily concern a significant security event surrounding React Server Components (RSC), detailing new vulnerabilities discovered shortly after the disclosure of the critical "React2Shell" Remote Code Execution (RCE) flaw. These newly identified issues include a High Severity Denial of Service (DoS), tracked as CVE-2025-55184 and CVE-2025-67779, which can hang server processes, and a Medium Severity Source Code Exposure vulnerability (CVE-2025-55183), capable of leaking hardcoded secrets and business logic. Multiple advisories from React and Next.js emphasize the need for immediate and repeated patching, as initial fixes for the DoS vulnerability were incomplete and subsequent patched versions were still susceptible to these new flaws. One source, however, provides a critical analysis of RSC's architecture, arguing that the original RCE vulnerability resulted from violating fundamental security principles by using a complex, custom serialization protocol that treats client input as trusted.