Denial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Security researchers have identified three new vulnerabilities in React Server Components (RSC) following the recent patch for the critical React2Shell exploit. These flaws include two high-severity Denial-of-Service (DoS) vulnerabilities (CVE-2025-55184 and CVE-2025-67779) and a medium-severity Source Code Exposure vulnerability (CVE-2025-55183). The DoS vulnerabilities allow attackers to send malicious HTTP requests to Server Function endpoints, triggering infinite loops that hang the server and exhaust CPU resources, effectively taking applications offline. The source code exposure flaw enables attackers to craft HTTP requests that can leak the source code of server functions, potentially exposing hardcoded secrets or sensitive logic, though runtime secrets remain protected.
The affected packages are react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, impacting React versions 19.0.0 through 19.2.2 and frameworks such as Next.js, Waku, and React Router. Initial patches released for these vulnerabilities were incomplete, necessitating immediate upgrades to versions 19.0.3, 19.1.4, and 19.2.3 to ensure full protection. The vulnerabilities were discovered by security researchers during attempts to bypass previous mitigations, highlighting the importance of rapid patch adoption and ongoing scrutiny of critical code paths after major disclosures. Users are strongly advised to update affected packages and monitor official channels for further security updates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Vercel deploys WAF protections for hosted projects
Vercel said it deployed WAF rules to help protect projects hosted on its platform from the React Server Components vulnerabilities affecting React 19 and Next.js. It emphasized that these protections are temporary and that customers still need to upgrade to patched React and Next.js versions.
Akamai deploys protections and publishes mitigation guidance
Akamai announced Adaptive Security Engine Rapid Rules and related detection and mitigation guidance for customers affected by CVE-2025-55183 and CVE-2025-55184. The company also provided asset-identification queries and recommended prompt vendor patching as the primary mitigation.
React discloses the new CVEs and releases patched versions
React publicly disclosed the new vulnerabilities on its blog and released fixes backported to versions 19.0.3, 19.1.4, and 19.2.3. The advisory warned that crafted HTTP requests could hang server processes or expose Server Function source code, and urged immediate upgrades.
Researchers identify new RSC DoS and source code exposure flaws
During follow-up security research on React2Shell, researchers Andrew MacPherson, RyotaK, and Shinsaku Nomura discovered additional React Server Components vulnerabilities: DoS issues CVE-2025-55184 and CVE-2025-67779, and source code exposure flaw CVE-2025-55183. The bugs affect react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack across vulnerable React 19.x releases.
React2Shell RCE flaw is disclosed and patched incompletely
Before the newly disclosed issues, React patched the critical React Server Components remote code execution flaw CVE-2025-55182 ("React2Shell"). Subsequent research found the initial mitigations were incomplete, leaving room for bypasses and follow-on vulnerabilities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
additional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)
seclists.org
Open sourceNew React vulns leak secrets, invite DoS attacks
go.theregister.com
Open sourceNew React RSC Vulnerabilities Enable DoS and Source Code Exposure
thehackernews.com
Open sourceReact Fixes Two New RSC Flaws as Security Teams Deal with React2Shell
securityboulevard.com
Open sourceNew React Server Components Vulnerabilities: DoS and Source Code Exposure
socket.dev
Open sourceNew Vulnerabilities in React Server Components Allow DoS Attacks and Source Code Leaks
cybersecuritynews.com
Open sourceCVE-2025-55183 and CVE-2025-55184: Mitigating React/Next.js Vulnerabilities
akamai.com
Open sourceDenial of Service and Source Code Exposure in React Server Components
react.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Denial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Multiple vulnerabilities have been identified in React Server Components (RSC), specifically CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, affecting several versions of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. These vulnerabilities, discovered following the React2Shell incident, include a high-severity denial-of-service (DoS) flaw (CVE-2025-55184) caused by unsafe deserialization of structured input in the RSC Flight protocol, which can be exploited by sending specially crafted requests that trigger infinite loops or event-loop lockups on the server. The vulnerabilities also raise concerns about potential source code exposure and highlight the risk of residual flaws being discovered after major disclosures. The React Foundation has issued advisories and patches for affected versions, and the Canadian Centre for Cyber Security has urged administrators to update impacted libraries and frameworks, including popular tools such as Next.js, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku. No public exploits are currently available, but the vulnerabilities have a higher-than-average likelihood of exploitation, emphasizing the importance of prompt remediation and ongoing vigilance for follow-on issues after initial vulnerability disclosures.
Mar 21, 2026
Critical Unauthenticated RCE Vulnerabilities in React Server Components and Next.js
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182, has been discovered in React Server Components, affecting core React packages (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`) in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of payloads sent to React Server Function endpoints, allowing attackers to execute arbitrary code on the server without authentication. This vulnerability also impacts frameworks and bundlers that integrate React Server Components, including Next.js (assigned CVE-2025-66478), Vite, Parcel, React Router, RedwoodSDK, and Waku. Even default configurations and newly generated Next.js applications are vulnerable, and exploitation requires only a crafted HTTP request, with no developer error or special setup needed. Immediate patching is strongly advised, as the vulnerability is rated CVSS 10.0 (critical) and has been shown to be highly reliable in exploitation tests. Patched versions are available for React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7), and users are urged to upgrade all affected packages and dependencies. Some hosting providers, such as Vercel, have implemented temporary platform-level mitigations, but these are not a substitute for patching. Security researchers estimate that up to 39% of cloud environments may contain vulnerable instances, underscoring the urgency of remediation across the React and Next.js ecosystem.
Mar 21, 2026
Critical React Server Components RCE Hits Next.js and Related Ecosystem
A critical remote code execution vulnerability in React Server Components-related packages is affecting widely used parts of the React ecosystem, including deployments tied to **Next.js**, **React Router**, **Expo**, **Redwood SDK**, **Waku**, and `@vitejs/plugin-rsc`. The flaw allows an unauthenticated attacker to execute arbitrary code on a vulnerable system through an HTTP request. Affected versions include `19.0`, `19.1.0`, `19.1.1`, and `19.2.0` of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, while patched releases are `19.0.1`, `19.1.2`, and `19.2.1`. Authorities warned that exploitation is already active in Finland and that public exploit methods are available, increasing the likelihood of rapid opportunistic attacks against exposed applications. Officials said attackers may use the vulnerability not only for visible abuse such as cryptomining but also to establish persistent access, and urged organizations to patch immediately and assess internet-exposed systems for signs of compromise.
Apr 21, 2026