Two additional vulnerabilities discovered in React Server Components after critical React2Shell disclosure; immediate patches required
Security researchers have uncovered two new vulnerabilities in React Server Components (RSC) just days after the devastating React2Shell disclosure, forcing developers who already patched last week's critical flaw to update again immediately.
The new vulnerabilities—CVE-2025-55184 (CVSS 7.5) for Denial of Service and CVE-2025-55183 (CVSS 5.3) for Source Code Exposure—were discovered by security researchers examining the patches for React2Shell. Critically, neither allows Remote Code Execution like React2Shell, though the DoS vulnerability can completely paralyze server operations.
What makes this disclosure particularly frustrating is that organizations who scrambled to patch React2Shell (CVE-2025-55182) last week now face another round of emergency updates. The initial fix for CVE-2025-55184 was incomplete, requiring a second patch issued under CVE-2025-67779. This means some teams may need to patch twice within days.
As Cyber Kendra previously reported, the React2Shell vulnerability earned a maximum CVSS score of 10.0 and triggered widespread exploitation by state-sponsored threat groups within hours of disclosure. Now, researchers probing those patches have found additional attack vectors.
The New Threat Landscape
The Denial of Service vulnerability allows attackers to send specially crafted HTTP requests that, when deserialized, create an infinite loop that hangs the server process and prevents future HTTP requests from being served. Any App Router endpoint becomes a potential target—no authentication required.
The Source Code Exposure flaw is equally concerning for enterprises. A malicious HTTP request can cause Server Functions to return compiled source code of other Server Functions, potentially exposing business logic and hardcoded secrets. While runtime environment variables remain safe, any credentials directly embedded in code could leak.
RyotaK from GMO Flatt Security Inc. and Andrew MacPherson discovered these vulnerabilities and responsibly disclosed them to Meta's security team. Their discovery pattern mirrors what security experts warned about: when critical vulnerabilities emerge, researchers scrutinize adjacent code for variant exploits.
Affected Versions and Emergency Patches
All applications using React Server Components with the App Router face exposure. The vulnerability landscape is complex:
- Next.js users: Versions 13.3 through 16.x require immediate updates to specific patched releases (14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, or 16.0.10)
- React users: Must update to versions 19.0.3, 19.1.4, or 19.2.3 for complete protection
- Other frameworks: React Router, Waku, Parcel, and Vite RSC plugins all require updates
Vercel released an automated fix tool allowing developers to run npx fix-react2shell-next to update affected applications systematically. The tool handles monorepos, version detection, and lockfile updates automatically.
Wiz data indicates that 39% of cloud environments contain instances vulnerable to React-related flaws, with Next.js present in 69% of enterprise environments. The rapid succession of vulnerabilities has strained security teams already stretched thin from the React2Shell response.
Within hours of React2Shell's disclosure, Amazon threat intelligence teams observed exploitation attempts by multiple China state-nexus threat groups, demonstrating how quickly adversaries capitalize on React ecosystem vulnerabilities.
Major cloud providers including Vercel, Cloudflare, and Google Cloud have deployed WAF rules addressing these new vulnerabilities. However, all providers emphasize that WAF protections provide defense-in-depth only—upgrading to patched versions remains the sole complete fix.
Immediate Action Required
There is no workaround—upgrading to patched versions is mandatory. Organizations should:
- Verify current versions immediately using the automated scanner
- Update to the latest patched release in your version branch
- Test thoroughly before deploying to production
- Monitor for unusual behavior on exposed endpoints
The React Team intentionally limits technical details in their advisory to protect organizations still in the process of updating. However, the patterns show up across the industry—after Log4Shell, additional CVEs were reported as researchers probed the original fix.
For Next.js applications, the update process is straightforward but urgent. Developers can use npm to install specific patched versions, or leverage Vercel's automated fix tool for complex deployments.
For the millions of React applications powering the modern web, the message is clear: patch now, and prepare for potential follow-up discoveries as researchers continue examining the RSC protocol implementation.
For detailed patch instructions and version matrices, consult the official React and Next.js security advisories. Organizations using React Server Components should prioritize this update alongside their React2Shell remediation efforts.