React's latest security woes: Secrets exposed, servers at risk!
React Server Components users are facing yet another security nightmare. On top of previously reported issues, newly uncovered vulnerabilities could enable attackers to crash servers and expose sensitive source code. This means anyone relying on React Server Components (RSC) or supporting frameworks should urgently apply the latest patches.
The recent CVEs (CVE-2025-55184, CVE-2025-67779, and CVE-2025-55183) were discovered by researchers probing the patch for a critical React flaw that is currently being actively exploited. These new vulnerabilities include two high-severity denial-of-service bugs and a medium-severity source-code exposure issue.
But here's where it gets controversial: CVE-2025-55182, a server-side vulnerability nicknamed 'React2Shell', was disclosed and patched on December 3rd. It allows remote code execution (RCE), and researchers have identified at least 15 intrusion clusters in just 24 hours. Is this a case of one step forward, two steps back?
The high-severity DoS bugs can be triggered by sending a malicious HTTP request to any server function endpoint, resulting in an infinite loop that freezes the server and drains CPU resources. This could potentially prevent users from accessing the product and impact server performance, as the React team warns.
Researchers RyotaK and Shinsaku Nomura identified and reported these DoS vulnerabilities to Meta, the creators of the open-source library. Meanwhile, the source-code exposure flaw, CVE-2025-55183, can be exploited if a specific server function exposes an argument in string format. This vulnerability can leak hardcoded secrets in source code, though runtime secrets remain unaffected.
React acknowledged Andrew MacPherson for discovering the secrets-leak vulnerability. However, the situation is dire: half of exposed React servers remain unpatched despite active exploitation. Additionally, Cloudflare's Friday outage was linked to a faulty fix for React2Shell, and hackers with ties to Beijing are actively targeting the maximum-severity React bug, as AWS warns.
All three new CVEs are present in the same packages and versions as CVE-2025-55182, specifically versions 19.0.0 to 19.2.2 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Alarmingly, even the previously patched versions for React2Shell are vulnerable to these new bugs. Users who updated for last week's critical vulnerability will need to update again, as the Thursday security alert emphasizes.
React2Shell's impact is widespread, with over 50 organizations across various sectors affected as of Wednesday, according to Palo Alto Networks' Unit 42. Attackers from North Korea and China have been exploiting this flaw. Security firm Coalition draws parallels between React2Shell and the infamous Log4Shell vulnerability from 2021, which resulted in countless ransomware attacks.
Are these recurring security issues a sign of deeper problems within React's development process? Share your thoughts in the comments below!
