Source: DoS and Source Code Exposure in RSC · React Team · Dec 11, 2025 (updated Jan 26, 2026)
After React2Shell patches, researchers found DoS (High) and source code exposure (Medium) in the same packages. RCE mitigations remain effective; you must upgrade again.
Affected packages
react-server-dom-webpack, -parcel, -turbopack on React 19.0.0–19.2.3. Fixed in 19.0.4, 19.1.5, 19.2.4. Prior partial patches (19.0.3 etc.) are incomplete.
Non-server React apps unaffected. Frameworks affected include Next.js, react-router, waku, and RSC bundler plugins.
DoS (CVSS 7.5)
Crafted requests to Server Function endpoints can infinite-loop during deserialization—CPU hang even without custom server actions if RSC is enabled. Additional fixes through CVE-2026-23864 (Jan 26, 2026).
Source exposure (CVSS 5.3)
Malicious requests may leak Server Function source via stringified arguments. Hardcoded secrets in source may leak; process.env runtime secrets do not. Verify production bundles.
Action
Upgrade immediately; don’t rely on hosting mitigations alone. Pin RSC package versions in CI.