“`html
In less than a week after remedying a critical Remote Code Execution (RCE) vulnerability, the React team has revealed three further security flaws impacting React Server Components (RSC).
While attempting to circumvent the safeguards for the earlier “React2Shell” exploit, security analysts uncovered these new issues.
Although the initial RCE fix remains effective, the recently identified vulnerabilities pose threats related to Denial-of-Service (DoS) and the unauthorized disclosure of server-side source code.
The React team highlights that past updates (versions 19.0.2, 19.1.3, and 19.2.2) included an inadequate fix, requiring an urgent second update.
The most critical of the new vulnerabilities (classified as High Severity) pertains to a Denial-of-Service vector. Researchers discovered that an ill-intentioned HTTP request directed at a Server Functions endpoint can instigate an infinite loop during React’s deserialization phase.
This results in the server process stalling and utilizes all available CPU resources, effectively rendering the application offline.
Another Medium Severity concern permits attackers to alter HTTP requests to expose the source code of Server Functions. While runtime secrets (such as environment variables) remain protected, any hardcoded secrets or logic within the function could be compromised.
The vulnerabilities are monitored under the subsequent identifiers:
| CVE ID | Vulnerability Type | Severity | CVSS Score |
|---|---|---|---|
| CVE-2025-55184 | Denial of Service | High | 7.5 |
| CVE-2025-67779 | Denial of Service (Patch Bypass) | High | 7.5 |
| CVE-2025-55183 | Source Code Exposure | Medium | 5.3 |
Affected Versions
The listed vulnerabilities impact the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages. Users of frameworks like Next.js, Waku, and React Router are likely affected.
The initial patches issued earlier this week were inadequate. If you are currently utilizing versions 19.0.2, 19.1.3, or 19.2.2, you remain at risk from the DoS exploit (CVE-2025-67779).
Developers need to upgrade to the following “secure” versions without delay:
- 19.0.x branch: Update to 19.0.3
- 19.1.x branch: Update to 19.1.4
- 19.2.x branch: Update to 19.2.3
The React team indicated that discovering subsequent vulnerabilities is not uncommon following a notable disclosure, drawing comparisons to the “Log4Shell” incident, where community explorations revealed adjacent weaknesses. Acknowledgment for these findings goes to researchers Andrew MacPherson, RyotaK, and Shinsaku Nomura.
“`