Security researchers have identified two significant vulnerabilities in React Server Components, leading to a high-severity Denial of Service (DoS) risk and a medium-severity source code exposure risk. The vulnerabilities are associated with CVE-2025-55184, CVE-2025-67779, and CVE-2026-23864 for DoS, rated at CVSS 7.5, and CVE-2025-55183 for source code exposure, rated at CVSS 5.3. While these flaws do not allow for Remote Code Execution, they can still result in server crashes or excessive resource usage through crafted HTTP requests. The affected versions include React 19.0.0 through 19.2.3. Users are urged to upgrade to fixed versions 19.0.4, 19.1.5, or 19.2.4 to mitigate risks. Frameworks and bundlers like Next, react-router, and Vite are also impacted. Users not leveraging a server or those using frameworks that don’t support React Server Components are not at risk. Patches were rolled out on January 26, 2026, addressing the newly discovered DoS vulnerabilities, which could lead to infinite loops in server processes. The timeline reveals a rapid response from the React team following the vulnerabilities' discovery. Reports came in on December 3 and 4, 2025, with immediate investigations and fixes initiated by December 6. The vulnerabilities were publicly disclosed on December 11, 2025, with further findings leading to additional patches in January 2026. The article credits several security researchers for their contributions in identifying these vulnerabilities.