Full Report
And the earlier React2Shell patch is vulnerable If you're running React Server Components, you just can't catch a break. In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server Function source code, so anyone using RSC or frameworks that support it should patch quickly.…
Analysis Summary
# Vulnerability: Multiple Flaws in React Server Components (Post-React2Shell Patch)
## CVE Details
- CVE ID: CVE-2025-55184, CVE-2025-67779, CVE-2025-55183
- CVSS Score: 7.5 (High) for DoS bugs; 5.3 (Medium) for Source Code Exposure.
- CWE: Not explicitly listed, but related to uncontrolled resource consumption (DoS) and improper input validation/information exposure (Source Code Leak).
## Affected Systems
- Products: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack` (Libraries supporting React Server Components/RSC).
- Versions: 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2.
* *Note: Previous patches (e.g., to 19.0.2, 19.1.3, and 19.2.2) are incomplete against these new issues and require further updating.*
- Configurations: Environments running React Server Components (RSC) or frameworks utilizing them.
## Vulnerability Description
These newly discovered flaws target systems utilizing React Server Components (RSC), some of which exist in packages that had previously been patched for the "React2Shell" vulnerability.
1. **Denial of Service (CVE-2025-55184 & CVE-2025-67779):** Specially crafted HTTP requests sent to a server function endpoint can trigger an infinite loop within the server process. This consumes excessive CPU resources, leading to a denial of service by hanging the server process and impacting overall availability.
2. **Source Code Exposure (CVE-2025-55183):** If a server function explicitly or implicitly exposes an argument that is converted into a string format, a malicious HTTP request can be abused to leak secrets hardcoded within the application's source code. (Note: `process.env.SECRET` style runtime secrets are reportedly unaffected).
## Exploitation
- Status: Not explicitly stated as exploited in the wild for these specific CVEs, but the broader context mentions active threat monitoring related to related server-side vulnerabilities (React2Shell).
- Complexity: Likely **Medium** for the DoS (requires crafting specific requests) and potentially **Medium** for the source code leak (requires the existence of a specific function signature).
- Attack Vector: **Network** (via malicious HTTP requests to server function endpoints).
## Impact
- Confidentiality: **Partial** (Potential leak of hardcoded source code secrets via CVE-2025-55183).
- Integrity: **None specified** (Focus is on availability and information disclosure).
- Availability: **High** (DoS condition causing server processes to hang and consume CPU via CVE-2025-55184 and CVE-2025-67779).
## Remediation
### Patches
- Users must update beyond the versions listed in the previous React2Shell fix. Check vendor advisories for the latest patched versions across `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`.
- **Critical Action:** Update to versions that supersede 19.0.2, 19.1.3, and 19.2.2.
### Workarounds
- No specific workarounds were detailed in the provided text, other than applying the immediate patch, suggesting the primary mitigation is updating the library versions.
## Detection
- **Indicators of Compromise:** Unusual or sustained high CPU utilization on server processes handling RSC requests. Network traffic containing malformed HTTP requests targeted at server function endpoints.
- **Detection Methods and Tools:** Monitoring server resource utilization spikes correlating with incoming HTTP requests. Analyzing requests for patterns that resemble inputs meant to trigger resource exhaustion in component server functions.
## References
- Vendor Advisory: [hXXps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components](hXXps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
- Related Research (DoS): [hXXps://ryotak.net/]
- NPM Packages:
- [hXXps://www.npmjs.com/package/react-server-dom-webpack]
- [hXXps://www.npmjs.com/package/react-server-dom-parcel]
- [hXXps://www.npmjs.com/package/react-server-dom-turbopack]