Following the critical vulnerability CVE-2025-55182 in React Server Components, researchers have found three new leaks. Two enable denial of service, while the third leaks source code. The React team is urging all users to update immediately.
Last week, Meta warned about CVE-2025-55182, a serious vulnerability in React Server Components (RSC) that allows remote code execution. It is now known as “React2Shell.” That announcement prompted researchers to further analyze the software. This revealed three new issues that also require a patch, React reports.
The newly discovered vulnerabilities are CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183. They do not enable remote code execution, but they can cause damage in other ways. The first two leaks make it possible to cause an infinite loop on the server. This loop causes the server to crash and prevents it from processing new requests.
Denial of service affects availability
The two denial of service vulnerabilities both receive a CVSS score of 7.5. An attacker can use a specially crafted HTTP request to start an endless loop that keeps the CPU fully occupied. Even applications without explicit Server Function endpoints are vulnerable if they support React Server Components.
The React team published patches, but soon discovered that the initial fix for CVE-2025-55184 was incomplete. As a result, versions 19.0.2, 19.1.3, and 19.2.2 remained vulnerable. The complete fix is included in versions 19.0.3, 19.1.4, and 19.2.3. The same versions are required for the second DoS vulnerability, CVE-2025-67779.
Source code leak threatens secrets
CVE-2025-55183 poses a different type of threat. Attackers can use a malicious HTTP request to retrieve the source code of any Server Function. This only works if a Server Function stringifies an argument, either explicitly or implicitly. The impact is rated 5.3.
The leak can leak secrets from source code, such as hardcoded API keys or passwords. Runtime secrets such as process.env.SECRET remain secure. The patches prevent Server Function source code from being stringified. The React team recommends always checking production bundles for leaked code.
Urgent update required
The vulnerabilities are in the same packages as CVE-2025-55182: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Versions 19.0.0 through 19.2.2 are affected. Fixes are available in 19.0.3, 19.1.4, and 19.2.3.
“Due to the severity of the newly reported vulnerabilities, we recommend upgrading immediately,” according to the React team. Users who already updated for CVE-2025-55182 should also update again. The first patches were incomplete.
Frameworks such as Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk are also affected. Hosting providers have applied temporary mitigations, but organizations should not rely on them. According to the Stack Overflow Survey 2024, more than 40 percent of professional developers use React.
RSC in the spotlight due to previous vulnerability
Security researchers also report that RSC is being targeted by exploits on a large scale. Half of all React servers are still unpatched. Palo Alto Networks’ Unit 42 states that the activity surrounding exploits corresponds to North Korean state hackers tracked under the name UNC5342. The Linux backdoor BPFDoor was also found by Unit 42, which can be linked to the hacker group Red Menschen, which has connections to China.
This makes it even clearer that patching is a requirement, as is checking for suspicious traffic afterwards. It is possible that attackers have already exploited the vulnerability but have not yet used the backdoor they installed. This means that organizations may still experience problems long after “React2Shell” has been closed.
Read also: Is React2Shell the new Log4Shell?