React 19.2 Security Update: DoS Mitigations for Server Actions
React released security patches in versions 19.2.4 and 19.1.5 to address denial-of-service vulnerabilities in Server Components, following the disclosure of multiple deserialization issues.
The React team released security updates addressing critical vulnerabilities in React Server Components that could allow denial-of-service attacks and source code exposure. The patches, distributed across the 19.0.x, 19.1.x, and 19.2.x release branches, fix high-severity deserialization vulnerabilities discovered through community security research following the React2Shell disclosure in late 2025.
Vulnerabilities Addressed
The primary security issue, tracked as CVE-2025-55184, is a deserialization vulnerability enabling pre-authentication denial of service attacks against applications using React Server Components. A secondary vulnerability (CVE-2025-55183) addressed medium-severity source code exposure risks. These vulnerabilities affected React versions 19.0.0 through 19.2.1 and corresponding Next.js versions 13.x through 16.x, impacting applications leveraging Server Actions and React Server Components.
Patched Versions
Developers should upgrade to React 19.0.3, 19.1.4, or 19.2.3 at minimum, with the latest releases (19.1.5 and 19.2.4) providing additional hardening. The fixes apply across react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages. Initial patches released in December 2025 were found to be incomplete, making the latest updates essential for all production deployments using Server Components.
Recommendations
All applications using React Server Components or Next.js 13+ should prioritize upgrading to the latest patched versions. The vulnerabilities are particularly concerning because they require no authentication to exploit, potentially allowing attackers to disrupt services without credentials. Teams should review their React dependencies and update immediately, testing thoroughly in staging environments before production deployment.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.