Executive Summary
Two new vulnerabilities have been identified in React Server Components: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183). These vulnerabilities affect frameworks that use React Server Components, including Next.js. While Vercel has deployed automatic WAF protections for its customers, the announcement stresses that all users must upgrade to the latest patched versions of React and affected frameworks immediately for full protection.
Key Takeaways
* Two New Vulnerabilities:
* CVE-2025-55184 (High-severity): A Denial of Service attack where a malicious request can cause the server process to hang and consume high CPU.
* CVE-2025-55183 (Medium-severity): A Source Code Exposure flaw where a malicious request can retrieve the compiled source code of Server Actions.
* Affected Software: The vulnerabilities are present in `react-server-dom-*` packages and affect frameworks like Next.js (versions 13.x through 16.x) and others that depend on React Server Components.
* Immediate Action Required: All users are urged to upgrade to a patched version as soon as possible.
* Patched Versions: Fixes are available in React versions 19.0.2, 19.1.3, 19.2.2 and various updated versions of Next.js (e.g., 14.2.34, 15.0.6).
* Important Caveat: These vulnerabilities do not allow for Remote Code Execution (RCE).
Strategic Importance
This announcement underscores the ongoing security scrutiny of server-side components and reinforces the critical need for developers to maintain prompt dependency patching. It also highlights Vercel's proactive security strategy of deploying platform-level mitigations (WAF rules) to provide an initial layer of defense for its customers during critical vulnerability disclosures.