fix: opt-in mitigation for React RCE/DoS CVEs (#34676)

This adds opt-in, load-time source patches that neutralize two known
React Server Components vulnerabilities shipped in affected react-server-dom-*
builds: CVE-2025-55182 (RCE), where deserialized model keys are not
filtered and a crafted payload can reach constructor / prototype /
_response, and CVE-2025-55184 (DoS), where a cyclic thenable makes chunk
fulfillment loop forever. The fix rewrites the affected snippets as the
source is loaded, which lets us protect applications that depend on a
vulnerable build without waiting on an upstream package release.

The mitigation is opt-in via the DENO_PATCH_REACT_CVE environment
variable, read once and cached at startup so it cannot be toggled later
from user code. When disabled (the default) the hot path is a single
cached bool check, so there is no cost for the common case. When
enabled, a single \"resolved_model\" substring scan short-circuits the
overwhelmingly common module before any pattern matching runs, and only
JavaScript module source is considered. The patch is wired into all
three module load paths: ESM loading in the CLI, CommonJS-to-ESM translation
in deno_resolver, and require() file reads in ext/node.

Author: bartlomieju

Cargo.lock

@@ -1654,6 +1654,11 @@ static ENV_VARS: &[EnvVar] = &[
     description: "Set to disable checking if a newer Deno version is available",
     example: None,
   },
+  EnvVar {
+    name: "DENO_PATCH_REACT_CVE",
+    description: "Enable load-time source patches mitigating known React Server\nComponents CVEs (CVE-2025-55182, CVE-2025-55184).",
+    example: None,
+  },
   EnvVar {
     name: "DENO_SERVE_ADDRESS",
     description: "Override address for Deno.serve",

cli/args/flags.rs

@@ -602,6 +602,38 @@ pub enum CliModuleLoaderError {
   ResolveReferrer(#[from] ResolveReferrerError),
 }
 
+/// Applies `deno_resolver::patch_react_cves` to JavaScript module source,
+/// handling both string and (valid UTF-8) byte representations without
+/// allocating when no patch is needed.
+fn patch_react_cves_source(
+  specifier: &ModuleSpecifier,
+  code: ModuleSourceCode,
+) -> ModuleSourceCode {
+  // Borrow the source as `&str` and compute the patched output (if any) in an
+  // inner scope so the borrow of `code` ends before we move it below.
+  let patched: Option<String> = {
+    let src = match &code {
+      ModuleSourceCode::String(s) => s.as_str(),
+      ModuleSourceCode::Bytes(b) => match std::str::from_utf8(b.as_bytes()) {
+        Ok(s) => s,
+        // Non UTF-8 source can't contain the ASCII patterns we look for.
+        Err(_) => return code,
+      },
+    };
+    match deno_resolver::patch_react_cves(
+      specifier.as_str(),
+      Cow::Borrowed(src),
+    ) {
+      Cow::Borrowed(_) => None,
+      Cow::Owned(s) => Some(s),
+    }
+  };
+  match patched {
+    Some(s) => ModuleSourceCode::String(s.into()),
+    None => code,
+  }
+}
+
 impl<TGraphContainer: ModuleGraphContainer>
   CliModuleLoaderInner<TGraphContainer>
 {
@@ -638,6 +670,17 @@ impl<TGraphContainer: ModuleGraphContainer>
       code_without_source_map(code_source.code)
     };
 
+    // Apply load-time security mitigations for known React Server Components
+    // CVEs to JavaScript source. Opt in via `DENO_PATCH_REACT_CVE`. See
+    // `deno_resolver::patch_react_cves`.
+    let code = if code_source.module_type == ModuleType::JavaScript
+      && deno_resolver::is_react_cve_patch_enabled(&self.shared.sys)
+    {
+      patch_react_cves_source(specifier, code)
+    } else {
+      code
+    };
+
     let code_cache = if code_source.module_type == ModuleType::JavaScript {
       self.shared.code_cache.as_ref().map(|cache| {
         let code_hash = FastInsecureHasher::new_deno_versioned()

cli/module_loader.rs

@@ -35,6 +35,7 @@ deno_package_json.workspace = true
 deno_path_util.workspace = true
 deno_permissions.workspace = true
 deno_process.workspace = true
+deno_resolver.workspace = true
 deno_tls.workspace = true
 deno_whoami.workspace = true
 filetime.workspace = true

ext/node/Cargo.toml

@@ -358,7 +358,7 @@ deno_core::extension!(deno_node,
     ops::require::op_require_stat<TSys>,
     ops::require::op_require_path_resolve,
     ops::require::op_require_path_basename,
-    ops::require::op_require_read_file,
+    ops::require::op_require_read_file<TSys>,
     ops::require::op_require_as_file_path,
     ops::require::op_require_resolve_exports<TInNpmPackageChecker, TNpmPackageFolderResolver, TSys>,
     ops::require::op_require_read_package_scope<TSys>,

ext/node/lib.rs

@@ -562,18 +562,31 @@ pub fn op_require_try_self<
 }
 
 #[op2(stack_trace)]
-pub fn op_require_read_file(
+pub fn op_require_read_file<TSys: ExtNodeSys + 'static>(
   state: &mut OpState,
-  #[string] file_path: &str,
+  #[string] file_path_str: &str,
 ) -> Result<FastString, RequireError> {
-  let file_path = Cow::Borrowed(Path::new(file_path));
+  let file_path = Cow::Borrowed(Path::new(file_path_str));
   // todo(dsherret): there's multiple borrows to NodeRequireLoaderRc here
   let file_path = ensure_read_permission(state, file_path)
     .map_err(RequireErrorKind::Permission)?;
-  let loader = state.borrow::<NodeRequireLoaderRc>();
-  loader
-    .load_text_file_lossy(&file_path)
-    .map_err(|e| RequireErrorKind::ReadModule(e).into_box())
+  let code = {
+    let loader = state.borrow::<NodeRequireLoaderRc>();
+    loader
+      .load_text_file_lossy(&file_path)
+      .map_err(|e| RequireErrorKind::ReadModule(e).into_box())?
+  };
+  // Apply load-time security mitigations for known React Server Components
+  // CVEs to required (CommonJS) source. Opt in via `DENO_PATCH_REACT_CVE`.
+  let sys = state.borrow::<TSys>();
+  if deno_resolver::is_react_cve_patch_enabled(sys) {
+    match deno_resolver::patch_react_cves(file_path_str, code.as_str().into()) {
+      Cow::Borrowed(_) => Ok(code),
+      Cow::Owned(s) => Ok(s.into()),
+    }
+  } else {
+    Ok(code)
+  }
 }
 
 #[op2]

ext/node/ops/require.rs

@@ -695,3 +695,155 @@ impl<
     )
   }
 }
+
+/// Whether the React CVE source patches are enabled. Opt in by setting the
+/// `DENO_PATCH_REACT_CVE` environment variable to a non-empty value other than
+/// `0`.
+///
+/// The variable is read exactly once (via `sys`) and cached. Module loading
+/// happens before any user code runs, so the value is effectively snapshotted
+/// at startup and cannot be toggled later via `Deno.env.set`.
+pub fn is_react_cve_patch_enabled(sys: &impl sys_traits::EnvVar) -> bool {
+  static ENABLED: std::sync::OnceLock<bool> = std::sync::OnceLock::new();
+  *ENABLED.get_or_init(|| {
+    sys
+      .env_var("DENO_PATCH_REACT_CVE")
+      .map(|v| !v.is_empty() && v != "0")
+      .unwrap_or(false)
+  })
+}
+
+/// Load time source patches that neutralize two known React Server Components
+/// vulnerabilities shipped in affected `react-server-dom-*` builds:
+///
+/// * CVE-2025-55182 (RCE): deserialized model keys are not filtered, letting a
+///   crafted payload reach `constructor` / `prototype` / `_response`.
+/// * CVE-2025-55184 (DoS): a cyclic thenable makes chunk fulfillment loop
+///   forever.
+///
+/// Callers must gate this behind [`is_react_cve_patch_enabled`] (the patches
+/// are opt-in via the `DENO_PATCH_REACT_CVE` environment variable) and only
+/// apply it to JavaScript source.
+pub fn patch_react_cves<'a>(
+  filename: &str,
+  code: Cow<'a, str>,
+) -> Cow<'a, str> {
+  let mut modified = Cow::Borrowed(&*code);
+  let mut offset = 0;
+
+  for (index, _) in code.match_indices("split(") {
+    let index = index + offset;
+
+    let len = "split(".len();
+    if !modified[index + len..].starts_with("':')")
+      && !modified[index + len..].starts_with("\":\")")
+    {
+      continue;
+    }
+
+    let Some((end, _)) = modified[index..].char_indices().nth(100) else {
+      break;
+    };
+
+    if !modified[index..index + end].contains("resolved_model") {
+      continue;
+    }
+
+    let insert =
+      ".filter(x => !(['constructor', 'prototype', '_response'].includes(x)))";
+    let mut s = String::with_capacity(modified.len() + insert.len());
+    s.push_str(&modified[0..index + len + 4]);
+    s.push_str(insert);
+    offset += insert.len();
+    s.push_str(&modified[(index + len + 4)..]);
+    modified = Cow::Owned(s);
+  }
+
+  if offset > 0 {
+    log::debug!("Patched React RCE (CVE-2025-55182) in {filename}");
+  }
+
+  // Collapse the stage 1 (RCE) result back into a `Cow<'a>` before stage 2
+  // borrows it: the original input when nothing was patched, otherwise the
+  // owned patched string. Stage 2 must fall back to this (not `code`) so a
+  // stage 1 patch is preserved even when stage 2 makes no change.
+  let stage1: Cow<'a, str> = match modified {
+    Cow::Borrowed(_) => code,
+    Cow::Owned(s) => Cow::Owned(s),
+  };
+
+  let code2 = &*stage1;
+  let mut modified = Cow::Borrowed(&*stage1);
+  let mut offset = 0;
+
+  const PROTOTYPE_THEN: &str = ".prototype.then";
+  'outer: for (index, _) in code2.match_indices(PROTOTYPE_THEN) {
+    let index = index + offset;
+
+    let after_equals;
+    if modified[index + PROTOTYPE_THEN.len()..].starts_with(" =") {
+      after_equals = index + PROTOTYPE_THEN.len() + 2;
+    } else if modified[index + PROTOTYPE_THEN.len()..].starts_with("=") {
+      after_equals = index + PROTOTYPE_THEN.len() + 1;
+    } else {
+      continue;
+    };
+
+    let Some((end, _)) = modified[index..].char_indices().nth(300) else {
+      break;
+    };
+
+    if !modified[index..index + end].contains("resolved_model") {
+      continue;
+    }
+
+    if !modified[index..index + end].contains("fulfilled") {
+      continue;
+    }
+
+    // now match { until we end up at the next }
+    let mut brace_count = 0;
+    let mut insert_index = None;
+    for (i, c) in modified[index..].char_indices() {
+      if c == '{' {
+        brace_count += 1;
+      } else if c == '}' {
+        if brace_count == 0 {
+          continue 'outer;
+        }
+        brace_count -= 1;
+        if brace_count == 0 {
+          insert_index = Some(index + i + 1);
+          break;
+        }
+      }
+    }
+    let Some(insert_index) = insert_index else {
+      continue;
+    };
+
+    const INSERT_BEFORE: &str = "(()=>{const __old=";
+    const INSERT_AFTER: &str = ";const __new=function(res, rej){return __old.call(this,(v)=>{let w=v;let l=0;while(w&&typeof w==='object'&&w.then===__new){l++;if(w===this||l>1000){if(typeof rej==='function')rej(new Error('Cannot have cyclic thenables.'));return}if(w.status==='fulfilled')w=w.value;else break;}res(v)},rej)};return __new})()";
+
+    // after the = insert the before, and after the } insert the after
+    let mut s = String::with_capacity(
+      modified.len() + INSERT_BEFORE.len() + INSERT_AFTER.len(),
+    );
+    s.push_str(&modified[0..after_equals]);
+    s.push_str(INSERT_BEFORE);
+    s.push_str(&modified[after_equals..insert_index]);
+    s.push_str(INSERT_AFTER);
+    s.push_str(&modified[insert_index..]);
+    offset += INSERT_BEFORE.len() + INSERT_AFTER.len();
+    modified = Cow::Owned(s);
+  }
+
+  if offset > 0 {
+    log::debug!("Patched React DoS (CVE-2025-55184) in {filename}");
+  }
+
+  match modified {
+    Cow::Borrowed(_) => stage1,
+    Cow::Owned(s) => Cow::Owned(s),
+  }
+}

libs/resolver/lib.rs

@@ -550,6 +550,13 @@ impl<TSys: ModuleLoaderSys> PreparedModuleLoader<TSys> {
       .node_code_translator
       .translate_cjs_to_esm(specifier, Some(Cow::Borrowed(js_source.as_ref())))
       .await?;
+    // Apply load-time security mitigations for known React Server Components
+    // CVEs to the translated source. Opt in via `DENO_PATCH_REACT_CVE`.
+    let text = if crate::is_react_cve_patch_enabled(&self.sys) {
+      crate::patch_react_cves(specifier.as_str(), text)
+    } else {
+      text
+    };
     // at this point, we no longer need the parsed source in memory, so free it
     self.parsed_source_cache.free(specifier);
     Ok(match text {

libs/resolver/loader/module_loader.rs

@@ -0,0 +1,37 @@
+{
+  "tests": {
+    "disabled": {
+      "args": "run main.js",
+      "output": "disabled.out"
+    },
+    "enabled": {
+      "args": "run main.js",
+      "envs": {
+        "DENO_PATCH_REACT_CVE": "1"
+      },
+      "output": "enabled.out"
+    },
+    "rce_only_disabled": {
+      "args": "run rce_only_main.js",
+      "output": "keys: [\"a\",\"constructor\",\"b\"]\n"
+    },
+    "rce_only_enabled": {
+      "args": "run rce_only_main.js",
+      "envs": {
+        "DENO_PATCH_REACT_CVE": "1"
+      },
+      "output": "keys: [\"a\",\"b\"]\n"
+    },
+    "dos_only_disabled": {
+      "args": "run dos_only_main.js",
+      "output": "then: resolved-cycle\n"
+    },
+    "dos_only_enabled": {
+      "args": "run dos_only_main.js",
+      "envs": {
+        "DENO_PATCH_REACT_CVE": "1"
+      },
+      "output": "then: rejected Cannot have cyclic thenables.\n"
+    }
+  }
+}

tests/specs/run/react_cve_patch/__test__.jsonc

@@ -0,0 +1,2 @@
+keys: ["a","constructor","b"]
+then: resolved-cycle