According to TheRegister.com, newly discovered high-severity vulnerabilities in React Server Components (RSC) can let attackers hang servers and leak source code, forcing developers to patch yet again. The bugs, tracked as CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5) for denial-of-service and CVE-2025-55183 (CVSS 5.3) for source-code exposure, were found by researchers probing the patch for the earlier maximum-severity “React2Shell” (CVE-2025-55182) RCE flaw. React2Shell, disclosed on December 3, is under active exploitation with at least 15 distinct intrusion clusters seen in the past 24 hours alone and has impacted over 50 organizations. The React team warns that if you already updated to versions like 19.0.2, 19.1.3, or 19.2.2 last week for React2Shell, those fixes are incomplete and you must update again. Researchers RyotaK and Shinsaku Nomura reported the new DoS bugs to Meta, and security firm Coalition has likened the React2Shell situation to the widespread chaos of the 2021 Log4Shell vulnerability.
How the new bugs break things
So here’s the thing. The two DoS bugs are pretty nasty in their simplicity. An attacker just needs to send a specially crafted HTTP request to any server function endpoint. That’s it. This triggers an infinite loop that completely hangs the server process and pegs the CPU. Basically, it’s a one-shot way to take a service offline. The other bug, the source code leak, is a bit more conditional. It requires a specific server function that exposes an argument converted to a string. But if that exists? An attacker can send a malicious request and pull out secrets that are hardcoded right in the source. Now, it won’t grab runtime secrets from environment variables, but how many devs have accidentally left an API key or internal URL sitting in plain text in a function? I’d bet more than a few.
The React2Shell backdrop
You really can’t talk about these new flaws without the context of the original crisis. React2Shell is a remote code execution bug. That’s as bad as it gets. And it’s not theoretical—it’s being actively exploited right now by groups linked to North Korea and China. The fact that these new DoS and leak bugs were found while testing the patch for that RCE flaw is telling. It suggests the initial security review was, frankly, rushed. When a framework as ubiquitous as React has a critical RCE, the pressure to ship a fix is immense. But that pressure can sometimes lead to missing adjacent issues. And now teams that scrambled to patch last week have to scramble all over again. It’s a brutal cycle.
What you actually need to do
Look, if you’re using React Server Components or any framework that supports them (Next.js, I’m looking at you), you need to act. Check your versions immediately. The official fixes are in the latest releases of the relevant server packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The React team has all the details in their security blog post, and you can review the CVEs for CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183. Don’t assume your cloud provider or platform has you covered. This is on your dev and ops teams to verify. And maybe, just maybe, use this as a reason to audit where you’re storing secrets. Hardcoded strings in your server functions? That’s a risk even without a specific CVE.
