React disclosed two new security vulnerabilities in React Server Components on December 11—a high-severity denial of service attack (CVE-2025-55184, CVSS 7.5) and source code exposure flaw (CVE-2025-55183, CVSS 5.3)—just 8 days after the critical React2Shell vulnerability. Researchers discovered these flaws while testing the React2Shell patches. Worse, the initial December 11 fixes themselves were incomplete, requiring yet another emergency patch days later to versions 19.0.3, 19.1.4, and 19.2.3.
This isn’t routine security maintenance—it’s a quality crisis. Developers who patched on December 3 must patch again immediately. Those who patched on December 11 to the incomplete versions must patch a third time. Moreover, with React powering 40% of developers and 968,000+ vulnerable instances in the wild, patches needing patches reveals React Server Components may have been rushed to production.
Patches Needing Patches: A Quality Crisis
The timeline tells the story. December 3: React2Shell (CVE-2025-55182, CVSS 10.0) disclosed, patched to versions 19.0.1, 19.1.2, and 19.2.1. December 11: researchers found two NEW vulnerabilities while testing those patches—a denial of service attack and source code exposure flaw. Initial patches released: 19.0.2, 19.1.3, 19.2.2. Days later: those patches were incomplete, requiring another emergency fix to 19.0.3, 19.1.4, 19.2.3.
The official React advisory states researchers “found two additional vulnerabilities in React Server Components while attempting to exploit the patches from the prior week’s critical vulnerability.” Finding new flaws during patch testing, not before, suggests inadequate security auditing before React 19’s release. Furthermore, the incomplete patches compound the problem—emergency fixes requiring more emergency fixes indicates fundamental issues with the security testing process.
Related: AI Code Quality Crisis 2025: Bugs Up 41%, Trust Down 67%
DoS Attacks and Source Code Leakage
CVE-2025-55184 enables denial of service attacks through malicious HTTP requests containing cyclic promise references. When React’s server deserializes these payloads, it triggers infinite loops in Node.js, hanging the server process and consuming CPU resources. Consequently, legitimate users get locked out while the server burns through compute cycles unwrapping nested Promises indefinitely.
CVE-2025-55183 exposes Server Function source code when functions use stringified arguments. Attackers can extract business logic and hardcoded secrets through malformed requests. However, while runtime environment variables remain protected, any developer who hardcoded API keys, database credentials, or proprietary logic into server functions faces complete exposure.
The killer detail: apps supporting React Server Components remain vulnerable even without explicitly implementing Server Function endpoints. Simply having RSC capability makes applications exploitable. Palo Alto Networks Unit 42 confirms “a standard Next.js application created with create-next-app and built for production is exploitable without any code changes by the developer.”
968,000 Instances, 40% of Developers Affected
The blast radius is enormous. React powers roughly 40% of all developers. Next.js, which defaults to RSC via the App Router, is used by 18-20% of developers. Additionally, Palo Alto Networks Cortex Xpanse identified 968,000+ React and Next.js instances in the wild. Wiz Research data shows 39% of cloud environments contain vulnerable instances.
All major React frameworks are affected: Next.js, React Router (Remix), Waku, Parcel RSC, and Vite RSC. Exploitation began immediately—Amazon Threat Intelligence reported China state-nexus threat groups “leveraging public exploits within hours” of the React2Shell disclosure. Security firms Wiz, Datadog, and Amazon TI have all observed active exploitation attempts against production systems.
Immediate Action Required
Patch now. Upgrade React to versions 19.0.3, 19.1.4, or 19.2.3—not the incomplete intermediate versions (19.0.2, 19.1.3, 19.2.2). Update affected frameworks to versions bundling patched React. Next.js, Remix, and Waku have all published specific upgrade instructions.
Ben Harris, CEO of security firm watchTowr, warned bluntly: “The reason there’s been such a measured response to this vulnerability is because exploitation is inevitable. We should be expecting attackers to start exploiting this vulnerability truly imminently.” Vercel deployed emergency WAF rules for Vercel-hosted applications, but security experts emphasize self-patching is the only reliable long-term solution.
Audit your server functions for hardcoded secrets and migrate them to environment variables. Check server logs for suspicious activity—CPU spikes and unusual Server Function requests indicate exploitation attempts. If you can’t patch immediately, consider temporary WAF protection, but don’t rely on it.
