React Server Components Face Fresh Security Scrutiny with New DoS and Source Code Exposure Vulnerabilities

The React ecosystem is grappling with a rapid succession of security vulnerabilities impacting React Server Components (RSC) and Server Actions, critical features in modern React frameworks like Next.js. Following a significant Remote Code Execution (RCE) vulnerability disclosed on December 3rd, which allowed attackers to execute arbitrary server-side code, two new security flaws have now emerged: a Denial of Service (DoS) vulnerability and a Source Code Exposure vulnerability. The initial RCE exploit leveraged the complex parsing mechanism of the React Flight Protocol, where a specially crafted payload could manipulate instruction processing to gain access to the JavaScript Function constructor, enabling the execution of any Node.js code on the server, from reading/deleting files to spawning processes.

These latest vulnerabilities, identified during the patching and testing process of the initial RCE, underscore ongoing concerns with the React Flight Protocol’s design. The DoS vulnerability permits attackers to craft requests that induce infinite loops on the server, leading to application crashes and service unavailability. More critically, the Source Code Exposure vulnerability allows malicious payloads to trigger the disclosure of application source code. While secrets managed via environment variables remain protected, hardcoded credentials or sensitive business logic within the exposed source code could provide further attack vectors or reveal critical intellectual property. Developers are urged to apply immediate patches for their Next.js and other RSC-enabled applications to mitigate these risks, as these incidents prompt a broader discussion within the community regarding the inherent security posture and complexity of the tightly coupled client-server architecture facilitated by RSCs.