React Server Components Information Leak Vulnerability

A vulnerability allowing information leakage exists in certain configurations of React Server Components, specifically in versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1. This vulnerability is present in the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. It allows a crafted HTTP request sent to a vulnerable Server Function to improperly disclose the source code of that function. Exploitation requires a Server Function that explicitly or implicitly reveals a stringified argument.

Impact

Exploitation of this vulnerability could lead to unauthorized exposure of source code, including potential secrets hardcoded within the leaked code, such as database connection keys.

Reproduction

To reproduce this vulnerability, a Server Function must be created that includes a stringified argument, either explicitly or implicitly. Once such a function is established, a crafted HTTP request can be sent to the function's endpoint, which will trigger the vulnerability by returning the source code of the function, including the stringified argument.

Remediation

Users should upgrade to React Server Components versions 19.0.2, 19.1.3, or 19.2.2, where this vulnerability has been patched. For React Native users in a monorepo, only the impacted packages should be updated to avoid version mismatch errors.