Key Takeaways
- Newly discovered bugs in React Server Components (RSC) allow attackers to hang vulnerable servers and potentially leak Server Function source code.
- The latest vulnerabilities include two high-severity denial-of-service bugs (CVE-2025-55184 and CVE-2025-67779) and a source-code exposure flaw (CVE-2025-55183).
- These vulnerabilities affect versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
- Users who have already updated for the Critical Security Vulnerability last week will need to update again to patch these new bugs.
Introduction to React Server Components Vulnerabilities
React Server Components (RSC) have been facing a series of vulnerabilities, with newly discovered bugs allowing attackers to hang vulnerable servers and potentially leak Server Function source code. These latest vulnerabilities, which include two high-severity denial-of-service bugs (CVE-2025-55184 and CVE-2025-67779) and a source-code exposure flaw (CVE-2025-55183), were found by security researchers attempting to poke holes in the patch for the earlier maximum-severity React flaw, dubbed "React2Shell". This vulnerability, disclosed and patched on December 3, allows for remote code execution (RCE) and has been under active exploitation, with researchers tracking at least 15 distinct intrusion clusters over the past 24 hours alone.
Denial-of-Service Bugs
The high-severity denial-of-service bugs (CVE-2025-55184 and CVE-2025-67779) can be exploited by sending a specially crafted HTTP request to any server function endpoint, causing an infinite loop that hangs the server process and consumes CPU. According to the React team, "This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment." These bugs were found and reported by researchers RyotaK and Shinsaku Nomura, who discovered that they could be exploited using a malicious HTTP request.
Source-Code Exposure Flaw
The medium-severity source-code exposure hole (CVE-2025-55183) requires the existence of a specific server function that explicitly or implicitly exposes an argument converted into a string format. If this condition is met, the vulnerability can be abused via a malicious HTTP request to leak secrets hardcoded in source code. However, runtime secrets, such as process.env.SECRET, are not affected. React credited Andrew MacPherson with finding this secrets-leak flaw, which exists in the same packages and versions as the earlier patched vulnerability, React2Shell.
Affected Versions and Impact
The three new CVEs exist in the same packages and versions as CVE-2025-55182, including versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. It’s worth noting that the earlier patched versions for React2Shell are still vulnerable to these new bugs, so users who have already updated will need to update again. More than 50 organizations across multiple sectors have been impacted by React2Shell, as of Wednesday, according to Palo Alto Networks’ Unit 42, with attackers from North Korea and China abusing the flaw.
Comparison to Log4Shell Vulnerability
In a Friday alert, security and cyber insurance shop Coalition likened React2Shell to the 2021 Log4Shell vulnerability (CVE-2021-44228), which led to hundreds of ransomware attacks. This comparison highlights the potential severity of the React2Shell vulnerability and the importance of patching quickly to prevent exploitation. As with Log4Shell, React2Shell has the potential to be widely exploited, and users should take immediate action to update their versions and protect against these vulnerabilities.
Conclusion and Recommendations
In conclusion, the newly discovered bugs in React Server Components (RSC) pose a significant threat to users, allowing attackers to hang vulnerable servers and potentially leak Server Function source code. The high-severity denial-of-service bugs and source-code exposure flaw exist in the same packages and versions as the earlier patched vulnerability, React2Shell, and users who have already updated will need to update again to patch these new bugs. It’s essential for users to take immediate action to update their versions and protect against these vulnerabilities, as the potential impact of exploitation could be severe. By staying informed and taking proactive measures, users can help prevent the exploitation of these vulnerabilities and protect their systems from potential attacks.
