Less than a week after addressing a critical Remote Code Execution (RCE) vulnerability, the React team has disclosed three additional security flaws affecting React Server Components (RSC).
Security researchers discovered these new issues while attempting to bypass the mitigations for the previous “React2Shell” exploit.
While the original RCE patch remains effective, the newly discovered vulnerabilities introduce risks regarding Denial-of-Service (DoS) and the unauthorized exposure of server-side source code.
The React team emphasizes that previous updates (versions 19.0.2, 19.1.3, and 19.2.2) contained an incomplete fix, necessitating an immediate second upgrade.
The most severe of the new flaws (rated High Severity) involves a Denial-of-Service vector. Researchers found that a malicious HTTP request sent to a Server Functions endpoint can trigger an infinite loop during React’s deserialization process.
This causes the server process to hang and consumes available CPU resources, effectively taking the application offline.
A separate Medium Severity issue allows attackers to manipulate HTTP requests to leak the source code of Server Functions. While runtime secrets (like environment variables) remain secure, any hardcoded secrets or logic within the function could be exposed.
The vulnerabilities are tracked under the following identifiers:
| CVE ID | Vulnerability Type | Severity | CVSS Score |
|---|---|---|---|
| CVE-2025-55184 | Denial of Service | High | 7.5 |
| CVE-2025-67779 | Denial of Service (Patch Bypass) | High | 7.5 |
| CVE-2025-55183 | Source Code Exposure | Medium | 5.3 |
Affected Versions
These vulnerabilities affect the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages. Users of frameworks such as Next.js, Waku, and React Router are likely impacted.
The initial patches released earlier this week were incomplete. If you are currently running versions 19.0.2, 19.1.3, or 19.2.2, you remain vulnerable to the DoS exploit (CVE-2025-67779).
Developers must upgrade to the following “safe” versions immediately:
- 19.0.x branch: Upgrade to 19.0.3
- 19.1.x branch: Upgrade to 19.1.4
- 19.2.x branch: Upgrade to 19.2.3
The React team noted that discovering follow-up vulnerabilities is common after a high-profile disclosure, drawing parallels to the “Log4Shell” incident, where community probing uncovered adjacent flaws. Credit for these discoveries goes to researchers Andrew MacPherson, RyotaK, and Shinsaku Nomura.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
