React Vulnerabilities Expose Servers to DoS and Source Code Disclosure
React maintainers have released patches addressing two newly discovered vulnerabilities that could allow attackers to crash servers via denial-of-service (DoS) attacks and potentially disclose sensitive source code. These flaws, which follow closely after the React2Shell incident, have raised concerns about the security of applications built with React, especially those exposed to untrusted input or running in server-side environments. The vulnerabilities are tracked as CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, and security researchers urge immediate attention and patching to mitigate exploitation risks.
Security experts highlight that the vulnerabilities could be exploited to disrupt services or leak proprietary code, posing significant risks to organizations relying on React for web application development. The issues have been acknowledged by both the React development team and independent security researchers, with proof-of-concept details and technical advisories made available to the public. Organizations are advised to review their deployments and apply the latest security updates to prevent potential attacks leveraging these flaws.
Timeline
Dec 12, 2025
React releases patches for newly discovered flaws
React released patches to address the newly discovered vulnerabilities after their discovery. The fixes were intended to mitigate risks including server-crashing denial-of-service attacks and possible source code disclosure in affected applications.
Dec 12, 2025
Three new React vulnerabilities are disclosed
Three React vulnerabilities, tracked as CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, were publicly disclosed. Reporting said the issues could enable denial-of-service, source code disclosure, and broader application or supply-chain security risks.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Denial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Security researchers have identified three new vulnerabilities in React Server Components (RSC) following the recent patch for the critical React2Shell exploit. These flaws include two high-severity Denial-of-Service (DoS) vulnerabilities (CVE-2025-55184 and CVE-2025-67779) and a medium-severity Source Code Exposure vulnerability (CVE-2025-55183). The DoS vulnerabilities allow attackers to send malicious HTTP requests to Server Function endpoints, triggering infinite loops that hang the server and exhaust CPU resources, effectively taking applications offline. The source code exposure flaw enables attackers to craft HTTP requests that can leak the source code of server functions, potentially exposing hardcoded secrets or sensitive logic, though runtime secrets remain protected. The affected packages are `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, impacting React versions 19.0.0 through 19.2.2 and frameworks such as Next.js, Waku, and React Router. Initial patches released for these vulnerabilities were incomplete, necessitating immediate upgrades to versions 19.0.3, 19.1.4, and 19.2.3 to ensure full protection. The vulnerabilities were discovered by security researchers during attempts to bypass previous mitigations, highlighting the importance of rapid patch adoption and ongoing scrutiny of critical code paths after major disclosures. Users are strongly advised to update affected packages and monitor official channels for further security updates.
1 months agoDenial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Multiple vulnerabilities have been identified in React Server Components (RSC), specifically CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, affecting several versions of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. These vulnerabilities, discovered following the React2Shell incident, include a high-severity denial-of-service (DoS) flaw (CVE-2025-55184) caused by unsafe deserialization of structured input in the RSC Flight protocol, which can be exploited by sending specially crafted requests that trigger infinite loops or event-loop lockups on the server. The vulnerabilities also raise concerns about potential source code exposure and highlight the risk of residual flaws being discovered after major disclosures. The React Foundation has issued advisories and patches for affected versions, and the Canadian Centre for Cyber Security has urged administrators to update impacted libraries and frameworks, including popular tools such as Next.js, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku. No public exploits are currently available, but the vulnerabilities have a higher-than-average likelihood of exploitation, emphasizing the importance of prompt remediation and ongoing vigilance for follow-on issues after initial vulnerability disclosures.
1 months ago
Critical React Framework Vulnerability Enables Remote Code Execution and Supply Chain Risk
A maximum severity vulnerability, tracked as CVE-2025-55182, was discovered and patched in the React JavaScript framework, affecting all versions since 19.0. The flaw, stemming from insecure deserialization in React Server Components payload handling, allows unauthenticated remote code execution, putting millions of web applications and cloud environments at risk. Security researchers highlighted that exploit code is publicly available, and scans indicate that 39% of cloud environments contain vulnerable React instances or use similarly affected versions of Next.js, a related framework. The vulnerability has existed since at least November 2024, and its widespread impact has prompted urgent patching efforts across the industry. The incident has raised significant concerns about software supply chain security, as React is one of the most widely used front-end frameworks globally, with estimates of 55-87 million websites potentially affected. Cybersecurity experts warn that the increasing complexity and automation in software development, combined with the power of AI, are likely to make such vulnerabilities more frequent and severe. The rapid response from the developer community and security vendors underscores the critical nature of this flaw and the ongoing challenges in securing modern web infrastructure against sophisticated exploitation techniques.
1 months ago