7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-55184

CVE-2025-55184: Denial of Service Vulnerability in React Server Components

Impact

There is a denial of service vulnerability in React Server Components.

React recommends updating immediately.

The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of:

These issues are present in the patches published last week.

Patches

Fixes were back ported to versions 19.0.2, 19.1.3, and 19.2.2.

If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

References

See the blog post for more information and upgrade instructions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-55184

CVE-2025-55184:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-server-dom-parcel	npm	>= 19.0.0, < 19.0.2	19.0.2
react-server-dom-turbopack	npm	>= 19.0.0, < 19.0.2	19.0.2
react-server-dom-webpack	npm	>= 19.0.0, < 19.0.2	19.0.2
react-server-dom-parcel	npm	>= 19.1.0, < 19.1.3	19.1.3
react-server-dom-parcel	npm	>= 19.2.0, < 19.2.2	19.2.2
react-server-dom-turbopack	npm	>= 19.1.0, < 19.1.3	19.1.3
react-server-dom-turbopack	npm	>= 19.2.0, < 19.2.2	19.2.2
react-server-dom-webpack	npm	>= 19.1.0, < 19.1.3	19.1.3
react-server-dom-webpack	npm	>= 19.2.0, < 19.2.2	19.2.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Denial of Service in React Server Components, categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data). The root cause lies in the improper handling of specially crafted payloads during deserialization on the server.

The analysis of the patch commit ac60e735881439ae074706e194fd22781805411f reveals two main attack vectors that were fixed:

Promise/Thenable Cycles: The primary vector was the possibility of creating a cyclic promise (a "thenable" that resolves to itself) within the serialized data. The deserialization logic in packages/react-server/src/ReactFlightReplyServer.js would enter an infinite loop when trying to resolve such a promise. The functions ReactPromise.then, fulfillReference, and getOutlinedModel were directly involved in this looping behavior. The patch mitigates this by adding explicit cycle detection within ReactPromise.then and removing the vulnerable looping logic from fulfillReference and getOutlinedModel. Furthermore, checks were added to loadServerReference and createModel to prevent the creation of malicious promise-like objects from properties named "then".
Resource Re-initialization: The second vector involved the repeated initialization of resources like TypedArrays and Streams. The functions parseTypedArray, parseReadableStream, and parseAsyncIterable could be tricked into processing the same resource ID multiple times. This would lead to unnecessary resource allocation and processing, eventually causing a Denial of Service. The patch addresses this by adding checks to ensure that a resource ID is only initialized once.

The identified vulnerable functions are all part of the server-side deserialization pipeline in ReactFlightReplyServer.js. An unauthenticated attacker could send a malicious payload to a server using React Server Components, triggering these vulnerabilities and causing the server to become unresponsive.

Vulnerable functions

ReactPromise.then

packages/react-server/src/ReactFlightReplyServer.js

The original implementation of the `then` method on the internal `ReactPromise` object did not have a mechanism to detect cyclic promise chains. A malicious actor could craft a serialized payload containing a promise that resolves to itself, causing the `then` method to enter an infinite recursive loop, which would lead to a Denial of Service (DoS) due to a stack overflow.

fulfillReference

packages/react-server/src/ReactFlightReplyServer.js

This function is responsible for resolving object references from the serialized payload. The vulnerable version of the code contained a loop designed to unwrap nested promises. A malicious payload could exploit this by creating a reference to a promise that forms a cycle. This would cause the function to loop indefinitely, resulting in a Denial of Service (DoS).

getOutlinedModel

packages/react-server/src/ReactFlightReplyServer.js

Similar to `fulfillReference`, this function processes parts of the serialized model and was vulnerable to an infinite loop. A crafted payload with a cyclically referenced promise would cause this function to loop indefinitely while trying to resolve the promise, leading to a Denial of Service (DoS).

loadServerReference

packages/react-server/src/ReactFlightReplyServer.js

This function loads server references during the deserialization process. The vulnerability existed because it did not check for the property name 'then'. This allowed an attacker to craft a payload that could create a malicious promise-like object when the framework attempted to access a property named 'then', which could then be used to trigger a promise cycle DoS vulnerability.

createModel

packages/react-server/src/ReactFlightReplyServer.js

This function is part of the model creation process during deserialization. Similar to `loadServerReference`, it lacked a check for the 'then' property. This oversight allowed a crafted payload to create a malicious promise-like object, which could then be used to trigger a Denial of Service (DoS) attack.

parseTypedArray

packages/react-server/src/ReactFlightReplyServer.js

This function is responsible for parsing typed arrays from the payload. The vulnerability allowed for the re-initialization of a typed array by referencing the same ID multiple times. This could lead to excessive resource allocation and processing, ultimately causing a Denial of Service (DoS).

parseReadableStream

packages/react-server/src/ReactFlightReplyServer.js

This function parses readable streams and was vulnerable to a re-initialization attack, similar to `parseTypedArray`. A malicious payload could cause the same stream to be processed multiple times, leading to resource exhaustion and a Denial of Service (DoS).

parseAsyncIterable

packages/react-server/src/ReactFlightReplyServer.js

This function parses async iterables and was vulnerable to the same re-initialization attack as `parseReadableStream` and `parseTypedArray`. This allowed an attacker to trigger a Denial of Service (DoS) through resource exhaustion by forcing the same iterable to be processed multiple times.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-55184: Denial of Service Vulnerability in React Server Components

Impact

Patches

References

CVE-2025-55184:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-55184: Denial of Service Vulnerability in React Server Components

Impact

Patches

References

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI