React on Thursday warned that customers will need to apply new upgrades amid the React2Shell crisis, after researchers discovered additional vulnerabilities, including a denial of service flaw and a source code exposure.
A denial of service vulnerability, tracked as CVE-2025-55184 and CVE-2025-67779, allows an attacker to craft a malicious HTTP request and send it to a Server Functions endpoint, which can lead to an infinite loop. The flaw has a severity score of 7.5.
The source code exposure, tracked as CVE-2025-55183, allows a malicious HTTP request sent to a vulnerable Server Function to unsafely return the source code of any Server Function.
React2Shell was publicly disclosed on Dec. 3 after being discovered in November by researcher Lachlan Davidson. That vulnerability, tracked as CVE-2025-55182, allows an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads when they are sent to React Server Function endpoints. The vulnerability is considered highly volatile and easy to exploit. It has a severity score of 10.
Researchers cautioned that the newly disclosed flaws are not as serious as the risks addressed in React2Shell.
“While DoSes can still be valuable to adversaries, the impact of these new issues doesn’t approach the impact of the original React2Shell exploit,” Caitlin Condon, vice president of security research at VulnCheck told Cybersecurity Dive. “CVE-2025-55183, the info leak, also requires developers to leverage the vulnerable React Server Components (RSC) functions in a specific manner, so broad exploitation is far less likely than the previous set of vulnerabilities.”
Researchers from Amazon, Palo Alto Networks and GreyNoise confirmed that state-linked actors have been exploiting React2Shell. Researchers at Palo Alto Networks confirmed at least 50 organizations have been hit with post-exploitation activity. Shadowserver researchers said about 165,000 IPs and 644,000 domains were found with potentially vulnerable code.
Meanwhile, researchers at Cloudflare warned Thursday that Asia-affiliated threat groups are using the React2Shell vulnerabilities to target critical infrastructure sites in multiple countries. Much of the initial targeting was aimed at Taiwan, Vietnam, Japan, New Zealand and Xinjiang Uygur. Additional exploitation targeted critical infrastructure providers, governments and academic researcher sites across the globe.
In one significant attack, a national authority involved in the import and export of uranium and nuclear fuel was targeted for attack, according to Cloudflare. Researchers declined to provide additional details on the attack.