Skip to content

Upgrade react-server-dom-webpack from 19.0.1 to 19.0.3: Critical DoS and Source Code Exposure Security Fixes #2223

Closed
Closed
Upgrade react-server-dom-webpack from 19.0.1 to 19.0.3: Critical DoS and Source Code Exposure Security Fixes#2223
@AbanoubGhadban

Description

@AbanoubGhadban
AbanoubGhadban
opened on Dec 15, 2025

Summary

Three new security vulnerabilities in React Server Components were disclosed on December 11, 2025 (after the CVE-2025-55182 RCE fix). These are separate and require upgrading react-server-dom-webpack from 19.0.1 → 19.0.3.

Status: All three vulnerabilities are currently unpatched in this project.

Vulnerabilities Requiring Fix

1. Denial of Service (DoS) via Infinite Loop - HIGH

  • CVEs: CVE-2025-55184, CVE-2025-67779
  • CVSS Score: 7.5 (High)
  • Affected Versions: 19.0.0–19.0.2, 19.1.0–19.1.2, 19.2.0–19.2.1
  • Fixed In: 19.0.3, 19.1.4, 19.2.3

What it is:

  • Malicious HTTP request to Server Functions endpoint causes infinite loop
  • Server process hangs, consumes 100% CPU
  • No authentication or special privileges required
  • Network-accessible attack

Attack Vector:

  • Attacker sends crafted malicious request with cyclic thenable structure
  • React's deserialization code enters infinite loop while traversing thenables
  • Server becomes unresponsive to legitimate requests

2. Source Code Exposure - MEDIUM

  • CVE: CVE-2025-55183
  • CVSS Score: 5.3 (Medium)
  • Affected Versions: 19.0.0–19.0.2, 19.1.0–19.1.3, 19.2.0–19.2.2
  • Fixed In: 19.0.3, 19.1.4, 19.2.3

What it is:

  • Attacker can extract source code of Server Functions via malicious request
  • Leaked data includes:
    • Hardcoded secrets embedded in source code
    • Inlined function implementations
    • Function logic and structure
  • Requires Server Function with stringified arguments

Attack Vector:

  • Malicious HTTP request targets Server Function endpoint
  • If function uses stringified arguments/templates, source code leaks in response
  • Example exposed data: 
    {
  "message": "Hello, async function(a){console.log(\"secretKey\");return await db.createUser(a)}!"
}

What is NOT exposed:

  • Runtime environment variables (e.g., process.env.SECRET)
  • Code outside Server Functions (client-side code is safe)

Current Status

CVE Vulnerability Status Fix Required
CVE-2025-55182 RCE in deserialization ✅ Fixed (PR #2175, v19.0.1) None
CVE-2025-55184 DoS - Infinite Loop VULNERABLE Upgrade to 19.0.3
CVE-2025-67779 DoS - Incomplete patch VULNERABLE Upgrade to 19.0.3
CVE-2025-55183 Source Code Exposure VULNERABLE Upgrade to 19.0.3

Technical Details

Why This Happened

  1. Dec 8: PR Fix CVE-2025-55182 - React Server Components RCE Vulnerability #2175 merged, updated to react 19.0.1 (fixed CVE-2025-55182 RCE)
  2. Dec 11: React team published emergency 19.0.3 release with additional fixes
  3. The vendored src/react-server-dom-webpack/ is still at 19.0.1 (see package.json:4)

What Changed in 19.0.3

DoS Fix - Cycle Protection:

// Added in 19.0.3 to prevent infinite loops
var cycleProtection = 0;
while (inspectedValue instanceof ReactPromise) {
  cycleProtection++;
  if (inspectedValue === this || cycleProtection > 1000) {
    reject(Error("Cannot have cyclic thenables."));
    return;
  }
  // Continue traversal...
}

Source Code Leak Fix - Masking Function ToString:

// Added in 19.0.3
var serverReferenceToString = {
  value: function () {
    return "function () { [omitted code] }";  // Safe response
  },
  configurable: true,
  writable: true
}

Additional Protection:

  • Added "then" key validation to prevent prototype pollution
  • Enhanced promise unwrapping logic with bounds checking

Action Items

Phase 1: Update react-server-dom-webpack

  • Update src/react-server-dom-webpack/package.json version from 19.0.1 to 19.0.3
  • Download 19.0.3 compiled bundles from npm
  • Replace all files in:
    • src/react-server-dom-webpack/cjs/ (development and production bundles)
    • src/react-server-dom-webpack/esm/ (ESM bundles)
    • Root-level exports (.js files)

Phase 2: Verification

  • Run yarn test to ensure no regressions
  • Verify security changes are present in compiled files:
    • cycleProtection variable in server files
    • serverReferenceToString in client files
  • Check bundle sizes haven't drastically changed

Phase 3: Release

  • Update CHANGELOG.md with security fixes
  • Bump package version appropriately
  • Create PR with detailed security context
  • Merge and publish

Timeline

Date Event
Dec 3, 2025 Source code exposure reported by Andrew MacPherson
Dec 4, 2025 Initial DoS reported by RyotaK (GMO Flatt Security)
Dec 6, 2025 Issues confirmed by React team
Dec 7, 2025 Initial fixes created
Dec 8, 2025 CVE-2025-55182 RCE fix released (our PR #2175 merged)
Dec 10, 2025 Hosting providers notified and mitigations deployed
Dec 11, 2025 Additional DoS reported; all CVEs disclosed; 19.0.3 released

References

Notes for Implementer

  • The fix is straightforward: update bundled files from npm's 19.0.3 release
  • No code changes needed; just swap compiled bundles
  • All security fixes are included in the npm 19.0.3 package
  • Test coverage should catch any issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions