New React vulns leak secrets, invite DoS attacks
If you're running React Server Components, you just can't catch a break. In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server Function source code, so anyone using RSC or frameworks that support it should patch quickly.
The latest vulnerabilities - two high-severity denial-of-service bugs tracked as CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5), and a source-code exposure flaw tracked as CVE-2025-55183 (CVSS 5.3) - were found by security researchers attempting to poke holes in the patch for the earlier maximum-severity React flaw that is under active exploitation.
CVE-2025-55182, the React server-side vulnerability dubbed "React2Shell" disclosed and patched on December 3, allows for remote code execution (RCE), and researchers are tracking at least 15 distinct intrusion clusters over the past 24 hours alone.
The high-severity, denial-of-service bugs (CVE-2025-55184 and CVE-2025-67779) can be exploited by sending a specially crafted HTTP request to any server function endpoint, causing an infinite loop that hangs the server process and consumes CPU.
"This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment," according to the React team.
Researchers RyotaK and Shinsaku Nomura found and reported the DoS bugs to Meta, which created the open source library.
CVE-2025-55183, the medium-severity source-code exposure hole, requires the existence of a specific server function that explicitly or implicitly exposes an argument converted into a string format.
But assuming that exists, this vulnerability can be abused via a malicious HTTP request to leak secrets hardcoded in source code. Runtime secrets - such as process.env.SECRET - are not affected.
React credited Andrew MacPherson with finding this secrets-leak flaw.
All three new CVEs exist in the same packages and versions as CVE-2025-55182. These are versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
And it's worth noting that the earlier patched versions for React2Shell are still vulnerable to these new bugs.
"If you already updated for the Critical Security Vulnerability last week, you will need to update again," according to the Thursday security alert. "If you updated to 19.0.2, 19.1.3, and 19.2.2, these are incomplete and you will need to update again."
More than 50 organizations across multiple sectors have been impacted by React2Shell, as of Wednesday, according to Palo Alto Networks' Unit 42, with attackers from North Korea and China abusing the flaw.
In a Friday alert, security and cyber insurance shop Coalition (as other researchers have also noted) likened React2Shell to the 2021 Log4Shell vulnerability (CVE-2021-44228), which led to hundreds of ransomware attacks. ®
