React Fixes Two New RSC Flaws as Security Teams Deal with React2Shell
None
<p>Security teams scrambling to <a href="https://securityboulevard.com/2025/12/exploitation-efforts-against-critical-react2shell-flaw-accelerate/" target="_blank" rel="noopener">protect their organizations</a> from the maximum-severity, highly exploitable React2Shell vulnerability in React Server Components (RSC) now have two more – though less dangerous – security flaws to address.</p><p>The React team this week said the two additional vulnerabilities in RSC, if exploited by bad actors, could result in denial-of-service (DoS) attacks or exposed source code. The team said security researchers uncovered the bugs while testing the patches React and Next.js released last week to address the remote code execution (RCE) exploit, which is tracked as <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-55182" target="_blank" rel="noopener">CVE-2025-55182</a>.</p><p>“It’s common for critical CVEs to uncover follow‑up vulnerabilities,” the React team <a href="https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components" target="_blank" rel="noopener">wrote in a notice</a> this week. “When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.”</p><p>“Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle,” the React team wrote.</p><p>The fix released last week for React2Shell remains effective, the team wrote.</p><h3>Starting with Malicious HTTP Requests</h3><p>The two newly discovered security flaws include a high-severity (CVSS 7.5) DoS vulnerability tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2025-55184" target="_blank" rel="noopener">CVE-2025-55184</a> and <a href="https://www.cve.org/CVERecord?id=CVE-2025-67779" target="_blank" rel="noopener">CVE-2025-67779</a>. The other bug – with a medium severity score of 5.3 – tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2025-55183" target="_blank" rel="noopener">CVE-2025-55183</a>.</p><p>The React team released patches for the vulnerabilities, which affect the same 10 packages and versions of RSC versions as the critical React2Shell flaw. The team is urging organizations to apply the patches immediately.</p><p>For the DoS vulnerability, security researchers found that threat actors could craft a malicious HTTP request and send it to any Server Functions endpoint. When it’s deserialized by React, it can create an “infinite loop that hangs the server process and consumes CPU,” the team wrote. “Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.”</p><p>The result is the attacker may be able to deny users access to the product and possibly impact the performance of the server. The patches for the bug are designed to prevent the infinite loop.</p><h3>Exposing Source Code</h3><p>Similarly, with the other security flaw, hackers can send a malicious HTTP request to a vulnerable Server Function, which may return the source code of any Server Function.</p><p>“Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument,” allowing for the source code leak, team members wrote.</p><p>“Only secrets in source code may be exposed,” they added. “Secrets hardcoded in source code may be exposed, but runtime secrets such as process.env.SECRET are not affected. The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides.”</p><p>In their own <a href="https://nextjs.org/blog/security-update-2025-12-11" target="_blank" rel="noopener">blog post</a>, Josh Story and Sebastian Markbåge, software engineers with Vercel, the creator of Next.js, wrote that the vulnerability “could reveal business logic. Secrets could also be exposed if they are defined directly in your code (rather than accessed via environment variables at runtime) and referenced within a Server Function. Depending on your bundler configuration, these values may be inlined into the compiled function output.”</p><p>Users need to always verify against production bundles, the React team wrote.</p><h3>React2Shell Under Attack</h3><p>Both noted that the DoS vulnerability was discovered by security researchers RyotaK from GMO Flatt Security and Shinsaku Nomura of Bitforest, while Andrew MacPherson reported the source code exposure.</p><p>All this comes as a rapidly widening field of nation-state and financially motivated threat groups from around the globe are furiously trying to <a href="https://securityboulevard.com/2025/12/attackers-worldwide-are-zeroing-in-on-react2shell-vulnerability/" target="_blank" rel="noopener">exploit the React2Shell RCE vulnerability</a>, using an expanding arsenal of threats, from backdoors and botnets to cryptocurrency miners, information-stealers, and reconnaissance probes.</p><p>The broad use of RSC and frameworks that rely on it – Wiz noted that <a href="https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182" target="_blank" rel="noopener">39% of cloud environments</a> contain React or Next.js – combined with the easy exploitability makes React2Shell an attractive target for bad actors.</p><p>“The widespread deployment of vulnerable React 19.x RSC packages is alarming, coupled with rapid weaponization, readily available public exploits, and convenient Metasploit modules,” said Noelle Murata, senior security engineer for cybersecurity firm Xcape. “This lowers the skill barrier for attackers, facilitating rapid duplication and propagation. … Delaying patching is not risk management; it’s a gamble.”</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/12/react-fixes-two-new-rsc-flaws-as-security-teams-deal-with-react2shell/" data-a2a-title="React Fixes Two New RSC Flaws as Security Teams Deal with React2Shell"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Freact-fixes-two-new-rsc-flaws-as-security-teams-deal-with-react2shell%2F&linkname=React%20Fixes%20Two%20New%20RSC%20Flaws%20as%20Security%20Teams%20Deal%20with%20React2Shell" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Freact-fixes-two-new-rsc-flaws-as-security-teams-deal-with-react2shell%2F&linkname=React%20Fixes%20Two%20New%20RSC%20Flaws%20as%20Security%20Teams%20Deal%20with%20React2Shell" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Freact-fixes-two-new-rsc-flaws-as-security-teams-deal-with-react2shell%2F&linkname=React%20Fixes%20Two%20New%20RSC%20Flaws%20as%20Security%20Teams%20Deal%20with%20React2Shell" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Freact-fixes-two-new-rsc-flaws-as-security-teams-deal-with-react2shell%2F&linkname=React%20Fixes%20Two%20New%20RSC%20Flaws%20as%20Security%20Teams%20Deal%20with%20React2Shell" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F12%2Freact-fixes-two-new-rsc-flaws-as-security-teams-deal-with-react2shell%2F&linkname=React%20Fixes%20Two%20New%20RSC%20Flaws%20as%20Security%20Teams%20Deal%20with%20React2Shell" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>