React's New Exploits: Update or Face a Shutdown
Just when you thought you patched the critical React2Shell flaw, two new exploits have landed, threatening to crash your servers and expose your code. Here's why this denial-of-service and source code leak demands your immediate attention.
Déjà Vu: Why React Is Sounding the Alarm Again
React developers just finished racing to patch a critical remote code execution bug, and now they are back on high alert. The React2Shell vulnerability, tracked as CVE-2025-55182, stunned the ecosystem with unauthenticated RCE against default React Server Components setups and near-100% exploit reliability. Attackers moved fast, dropping Cobalt Strike beacons, cryptominers, and RATs like EtherRAT and Noodle RAT once the flaw became public.
Patches for React2Shell landed on December 3, 2025, and teams scrambled to bump versions across Next.js, Node.js backends, and custom React servers. Many shops treated it as a “drop everything” incident, prioritizing dependency upgrades ahead of feature work. For a brief moment, it looked like the worst was over.
Days later, a sequel arrived. While researchers and the React team probed the original fix, they uncovered two New vulnerabilities in the same React Server Components “Flight” protocol. Those discoveries now carry CVE-2025-55183, CVE-2025-55184, and a related internal case, CVE-2025-67779.
Both New issues hit the same class of targets: React 19.x packages such as react-server-dom-webpack 19.0.0–19.2.0 and frameworks that embed RSC by default. That list includes: - Next.js - react-router - Waku - @parcel/rsc - @vitejs/plugin-rsc - RWSdk
Security teams now face a rapid-fire patch cycle. First, a critical RCE forced emergency upgrades. Now, just a week later, organizations must roll out another round of dependency updates, retest production builds, and redeploy—again.
These New bugs do not enable remote code execution, but they still qualify as serious. One DoS vulnerability, rated high severity with CVSS 7.5, lets an attacker fire a single POST request that triggers an infinite loop on the React server, blocking all other traffic. Availability drops to zero while the process spins.
The second flaw exposes server action source code through another trivial POST request. Severity lands in the “medium” band, but any hardcoded secrets, tokens, or database credentials inside those actions become instant loot. For misconfigured apps, “medium” can escalate to catastrophic.
The Infinite Loop That Kills Your Server
React’s second New exploit hits availability, not code execution. CVE-2025-55183 is a high‑severity Denial‑of‑Service bug in React Server Components, clocking in at CVSS 7.5. No shell access, no data exfiltration—just a dead app that stops answering the door.
Attackers do not need credentials, special infrastructure, or clever timing. One unauthenticated POST request to an RSC endpoint is enough to trigger an infinite loop inside the React server. From there, the process spins forever, burning CPU cycles while every new request waits in line until the whole service effectively stalls.
Under load, that behavior escalates from annoying to catastrophic. Because the loop runs inside the main React server process, it monopolizes the event loop and starves all other handlers. New HTTP requests pile up, time out, and users see blank pages, failing API calls, or framework‑level 500 errors.
For modern React stacks, that means any app leaning on React Server Components is exposed: Next.js, custom RSC setups with react-server-dom-webpack, and experimental RSC‑enabled routers. If your deployment routes traffic through a small pool of Node.js workers, a single crafted POST per worker can knock out the entire pool. Horizontal scaling helps only until attackers match your instance count.
Researchers RyotaK of GMO Flatt Security and Shinsaku Nomura of Bitforest discovered and reported the bug, with a related internal case later cataloged as CVE-2025-67779. Their work shows how fragile the React Server Components “Flight” data pipeline still is when it parses untrusted input. Underneath the JSX sugar, RSC relies on a bespoke streaming protocol that was never hardened like a traditional API surface.
The infinite loop stems from malformed Flight payloads that push the RSC data processor into a state it never escapes. Instead of rejecting bad input or bailing out with a timeout, the server keeps walking the same logic path indefinitely. That logic error turns a single network packet into a persistent availability outage.
Taken together with last week’s React2Shell incident, CVE-2025-55183 underlines a pattern: React’s server‑side internals now sit squarely in the security blast radius. Any app that treats RSC endpoints as “just framework plumbing” and leaves them exposed to the public internet inherits that risk by default.
Your Server's Source Code Is Up for Grabs
Medium severity sounds comforting until your server starts handing out its own blueprints. CVE-2025-55184 targets React Server Components again, this time abusing the same Flight protocol to peel back the curtain on server actions. No XSS chain, no SSRF gymnastics—just another unauthenticated POST request against a default React 19.x setup.
Under the hood, the bug lives in how React deserializes and responds to crafted Flight payloads. An attacker can ask the server to serialize a server action in a way that returns its raw source code instead of just its output. React’s own advisory, Denial of Service and Source Code Exposure in React Server Components, confirms this works against packages like react-server-dom-webpack 19.0.0–19.2.0 and frameworks that embed them.
On its face, source code exposure feels less dramatic than RCE or a CVSS 7.5 DoS crater. But server actions often double as dumping grounds for secrets, especially in rushed or legacy codebases. Once an attacker can read that code, anything you hardcoded becomes loot.
Hardcoded treasures frequently include: - API keys for third-party services (Stripe, Twilio, SendGrid) - Database usernames and passwords - JWT signing secrets or OAuth client secrets - Internal service endpoints and access tokens
This vulnerability specifically punishes teams that treated server-side code as a safe vault. Best practices say secrets live in environment variables, secret managers, or KMS-backed stores, never inline in a function. CVE-2025-55184 turns every violated guideline into a direct data breach vector.
React’s patch closes the exposure path, but it cannot un-leak what attackers already pulled. Developers now need to rotate any credential that ever touched a server action file, audit repos for hardcoded values, and finally treat secret management as a first-class security boundary, not a TODO.
The Common Thread: Unpacking React's 'Flight' Protocol Flaw
React’s latest security mess all traces back to one place: React Server Components and their quirky “Flight” wire protocol. RSCs let apps render components on the server and stream serialized UI “payloads” to the browser, which hydrates them back into live components. Flight is the custom serialization format that turns component trees, props, and server actions into a byte stream that React can reconstruct on the other side.
That reconstruction step is where everything goes sideways. Flight has to deserialize whatever the client sends, and in affected versions React treated parts of that payload as mostly trustworthy. The original React2Shell bug (CVE-2025-55182) showed how attacker-controlled Flight data could escalate into full remote code execution, with near-100% reliability against unpatched servers.
The New CVEs—CVE-2025-55183 (DoS, CVSS 7.5) and CVE-2025-55184 (source leak)—hit the exact same fault line: insecure deserialization of untrusted input. Instead of popping a shell, crafted Flight payloads now push the RSC runtime into an infinite loop or trick it into echoing back server action source code. Different outcomes, same root cause: React blindly processes hostile data sent over a protocol that was never meant to be exposed to the open internet.
Security researchers love this kind of surface area because it is both complex and ubiquitous. Flight juggles: - Component references - Server action identifiers - Arbitrary serialized values and “tokens”
Every one of those is a potential gadget for an exploit chain. Add the fact that RSCs ship inside popular stacks like Next.js, react-router, Waku, and @vitejs/plugin-rsc, and any bug in Flight instantly becomes internet-scale.
Attackers don’t need fancy infrastructure to abuse it. A single unauthenticated POST request to the RSC endpoint in a default Next.js app—no extra middleware, no custom routes—can deliver a malicious Flight payload. For CVE-2025-55183, that payload steers React’s server runtime into an infinite loop, pinning CPU and starving every other request until the process crashes or the host kills it.
CVE-2025-55184 is quieter but nastier for sloppy codebases. Another crafted POST can coerce the server into returning the literal source of a server action, exposing hardcoded API keys, database passwords, or internal logic. Because frameworks wired these endpoints automatically, many teams deployed RSCs assuming “framework default” meant “safe,” only to discover their serialization layer had become a high-value, zero-auth attack surface.
Why These 'Simple' POST Requests Are So Dangerous
No zero-day wizardry powers these New React exploits. An attacker only needs the ability to send an unauthenticated HTTP POST to your app’s React Server Components endpoint. No login, no CSRF token, no prior foothold, and no framework-specific knowledge stand in the way.
A malicious request for the DoS bug (CVE-2025-55183, CVSS 7.5) can look almost insultingly simple. Conceptually, it’s just:
```http POST /react?on_server_action=1 HTTP/1.1 Host: yourapp.com Content-Type: application/json
{"actionId":"loop","args":[{"$type":"flight","payload":"{}"}]} ```
That minimal JSON blob can trigger the infinite loop that starves your React server of resources. No giant payload, no heap-spraying, just a tiny serialized object abusing the Flight protocol.
Automation makes this even worse. A basic Python script or Node.js bot can scan IP ranges for exposed RSC endpoints and spray this POST request at thousands of targets per minute. Commodity botnets can fold this into their playbooks as easily as they once added Shellshock or Heartbleed checks.
Low-skilled attackers benefit the most. Someone who cannot write a single React component can still run a GitHub PoC, swap in a new URL, and start knocking over servers. For the source code exposure bug (CVE-2025-55184), the same script can pivot to a slightly different payload that dumps server action source straight into the response body.
Contrast that with a typical RCE chain or SSRF exploit. Those often demand deep understanding of memory layouts, gadget chains, cloud metadata services, or internal network architecture. They break more easily, require tuning to each target, and often trigger alarms during reconnaissance.
Here, success looks almost binary: if your stack uses vulnerable versions of react-server-dom-webpack (19.0.0–19.2.0) or frameworks like Next.js with RSC enabled, a stock POST just works. No feature flags, no misconfigurations, no social engineering.
That low barrier to entry changes the risk calculus. Vulnerabilities this easy to weaponize tend to show up quickly in mass scans, ransomware playbooks, and “spray and pray” campaigns. Developers who treat these as “just” DoS or “only” source exposure risk finding out the hard way that simplicity is exactly what makes them catastrophic.
Is Your Stack Vulnerable? A Checklist
React stacks that ship React Server Components are in the blast radius by default. The most important landmine is react-server-dom-webpack versions 19.0.0 through 19.2.0, which carry all three bugs: the original RCE plus the New CVSS 7.5 DoS and the source leak. If that package appears anywhere in your dependency tree in that range, you are vulnerable.
Major frameworks have already admitted impact. Next.js, Waku, @parcel/rsc, @vitejs/plugin-rsc, and several custom RSC runtimes all rely on the same Flight protocol implementation. Vercel’s official Next.js advisory, Security Bulletin: CVE-2025-55184 and CVE-2025-55183, tracks which Next.js and React versions you must run.
To check a Node project quickly, search your lockfile instead of trusting package.json. In npm projects, open package-lock.json and look for:
- "react-server-dom-webpack"
- version fields between "19.0.0" and "19.2.0"
- any nested dependency blocks pulling those versions indirectly
Yarn users should do the same in yarn.lock. Use a text search for "react-server-dom-webpack@19." and confirm the resolved version is at least 19.2.1 or whatever patched build your framework specifies. If multiple entries exist, every vulnerable one must be upgraded.
Monorepos and workspaces complicate this further. Each app or package can pin a different React and RSC toolchain, so you need to scan every package-lock.json or yarn.lock under apps/, packages/, and examples/. CI images and Dockerfiles that bake node_modules must be rebuilt after dependency bumps.
If you run Next.js on a managed platform like Vercel, check both your package versions and your provider’s status page. Framework vendors are backporting patches, but none of that matters if your lockfile still freezes you on a vulnerable Flight implementation.
From RCE to DoS: A Week of Non-Stop Patches
React’s security story in December reads like a sprint under fire. On December 3, Meta shipped an emergency patch for CVE-2025-55182, the “React2Shell” remote code execution flaw that turned unauthenticated POST requests into near-100% reliable RCE on React Server Components infrastructure. Within days, researchers and the React team were back in the code, probing the same Flight protocol paths that had just been hardened.
By December 7, maintainers had prototypes for new fixes addressing two more bugs uncovered during post-mortem testing: a high-severity DoS issue (CVE-2025-55183, CVSS 7.5) and a medium-severity source code exposure bug (CVE-2025-55184), plus a related internal case, CVE-2025-67779. December 8 kicked off a quiet but aggressive coordination phase, with major hosting providers and framework authors pulled into private channels before any npm releases went live.
That coordination step mattered. Platforms like Vercel, along with maintainers of Next.js, react-router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and RWSdk, received early technical details so they could ship mitigations or emergency deploys ahead of public disclosure. By December 10, most large hosts had already rolled out filters and updated images to blunt trivial POST-based attacks against RSC endpoints.
Public patches landed on December 11, when updated versions of react-server-dom-webpack and related React 19.x packages hit npm with hardened Flight serialization and stricter server action handling. On the same day, the React team published an advisory detailing CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, stressing that no New RCE had been reintroduced and that the React2Shell fix still held.
Bug bounty hunters drove much of this compressed timeline. Lachlan Davidson’s original RCE report on November 29 triggered the December 3 patch, and the follow-on issues came from RyotaK (GMO Flatt Security), Shinsaku Nomura (Bitforest), and Andrew MacPherson (AndrewMohawk), all working through Meta’s bug bounty pipeline. That steady stream of paid reports turned what could have been a slow-motion disaster into a frantic but controlled week of patches, rather than a months-long zero-day free-for-all.
The Immediate Fix: How to Secure Your Apps Today
React apps using Server Components need a rapid, three-step lockdown: update, verify, then audit. CVE-2025-55183 (DoS, CVSS 7.5) and CVE-2025-55184 (source leak) both hit the Flight protocol, and no amount of clever networking saves you if your dependencies stay stale.
Start with upgrades. For most projects, that means bumping to the patched React 19 line and your framework’s latest security release. On npm, run: - `npm install react@latest react-dom@latest react-server-dom-webpack@latest --save` - For Next.js: `npm install next@latest --save`
Yarn users should mirror those bumps: - `yarn add react@latest react-dom@latest react-server-dom-webpack@latest` - `yarn add next@latest` Frameworks built on React Server Components such as Next.js, Waku, `@parcel/rsc`, `@vitejs/plugin-rsc`, and RWSdk all ship their own Flight handling, so you must track and install each project’s security advisory release, not just core React.
Verification comes next. Updating without confirming versions leaves you guessing whether CVE-2025-55183 and CVE-2025-55184 still sit in your tree. Use: - `npm ls react react-dom react-server-dom-webpack next` - or `yarn why react react-dom react-server-dom-webpack next` to confirm every resolved version matches the patched releases announced on the React and Next.js security pages.
Pay close attention to nested dependencies. Monorepos and older lockfiles often pin vulnerable `react-server-dom-webpack` versions (19.0.0–19.2.0) even after a top-level bump. Regenerate lockfiles with `rm package-lock.json && npm install` or `rm yarn.lock && yarn install` if the tree still shows pre-patch builds.
Defense-in-depth means assuming CVE-2025-55184 already exposed your code. Run a fast audit for hardcoded secrets in server actions and RSC handlers: - `git grep -i "api_key\|apikey\|secret\|token\|password"` - scan `.env` fallbacks and “temporary” inline credentials - review logging and debug helpers that print request bodies or config
Rotate anything even vaguely sensitive: database passwords, third-party API keys, JWT signing keys, OAuth client secrets, and internal service tokens. If attackers pulled your source once, those secrets remain valid until you revoke them.
Major hosts like Vercel already pushed network-level mitigations to blunt unauthenticated Flight abuse. Those filters buy time but do not patch your app; a single misconfigured proxy, self-hosted deployment, or future bypass drops you back into RCE-and-DoS roulette. Only updated dependencies actually close these New React exploits.
Beyond the Patch: What This Means for React's Future
React’s week from hell forces a hard question: can Server Components be trusted at scale, or did the ecosystem ship a half-baked backend runtime into production? Three CVEs in under two weeks, all abusing the same Flight protocol, suggest this is more than a one-off bug. It looks like a systemic design problem in how React treats serialized data from the network.
React Server Components promised a clean split between client and server, but in practice they turned React into an application server framework. Once you accept POST requests, deserialize complex payloads, and run Server Actions, you are no longer “just frontend.” You are a network-exposed backend, with all the attack surface that implies.
These back-to-back vulnerabilities raise uncomfortable maturity questions for RSCs. CVE-2025-55182 handed out unauthenticated RCE, while CVE-2025-55183 and CVE-2025-55184 followed with CVSS 7.5 DoS and source disclosure, all reachable via trivial POSTs. That pattern looks less like bad luck and more like a security model that never received a proper adversarial review.
Growing pains still describe part of the story. RSCs sit at the bleeding edge, wired into Next.js, react-router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and more, all moving fast. When a protocol like Flight underpins multiple frameworks, a single deserialization flaw instantly becomes a cross-ecosystem incident.
Security teams have been warning this was coming. Unit 42 already tracks active exploitation of CVE-2025-55182, from Cobalt Strike beacons to cloud credential theft and cryptomining payloads. Wiz labeled React2Shell “critical” precisely because default configs exposed production apps without any opt-in.
Frontend developers now own responsibilities that used to belong to backend and platform teams. Handling secrets in Server Actions, validating inputs, applying rate limits, and segmenting network access can no longer be “ops problems.” If your React app speaks directly to databases, queues, and internal APIs, you are writing backend code, regardless of job title.
Security-first development has to move left into the React toolchain itself. That means: - Threat modeling new framework features - Mandatory secure-by-default configs - Aggressive fuzzing of protocols like Flight - First-class support for secrets management and policy
Expect more attacker focus on modern frameworks. Unit 42 and Wiz both see a trend: exploits now target opinionated stacks—React, Next.js, Nuxt, Remix—because one bug buys access to thousands of apps. For a deeper breakdown of the DoS and source-leak chain, Aikido’s write-up on React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell shows how quickly these issues cascade across providers.
Don't Be the Next Victim: The New Rules of React Security
React developers just got a crash course in modern web risk management: assume compromise, patch immediately, and never trust your own abstractions. Three CVEs in under two weeks—CVE-2025-55182, CVE-2025-55183, and CVE-2025-55184—show how fast a popular framework can become an attack vector. Treat every React upgrade, especially around React Server Components, as a security release first and a feature release second.
That means “update when convenient” is dead. If you run React 19.x with react-server-dom-webpack 19.0.0–19.2.0 or frameworks like Next.js, react-router, Waku, @parcel/rsc, @vitejs/plugin-rsc, or RWSdk, you patch now or accept RCE, CVSS 7.5 DoS, and source code leaks as a business decision. CI pipelines should fail builds on outdated security versions, not just outdated TypeScript configs.
One-off upgrades are not a strategy. Every React team should subscribe to security advisories for: - React and react-server-dom-webpack (npm advisory + GitHub Security Advisories) - Your primary framework (Next.js, Remix, etc.) - Your hosting provider or PaaS (Vercel, Netlify, Cloudflare, AWS Amplify)
Security mailing lists and RSS feeds sound old-school until a “simple POST request” takes your app offline. Set up alerts in GitHub Dependabot, Snyk, or Renovate so CVEs like CVE-2025-55182 do not arrive as a surprise Twitter thread. Treat dependency updates as part of sprint work, not side quests.
Even after these patches, the fragile core remains: deserialization of untrusted data over the Flight protocol. Any system that decodes complex, nested objects from the network—RSCs, JSON-based RPC, GraphQL—sits on an attack surface that attackers love. Safer encodings, stricter schemas, and hard input validation need to be design requirements, not afterthoughts.
Frontend stacks now run server code, handle secrets, and orchestrate infrastructure. React’s month of CVEs is a reminder that “frontend security” is just web security—and the web only gets resilient when UI code earns the same paranoia long reserved for databases and auth systems.
Frequently Asked Questions
What are the two new React vulnerabilities disclosed in December 2025?
The two new vulnerabilities affect React Server Components. The first (CVE-2025-55183, high severity) is a Denial-of-Service (DoS) attack that causes an infinite loop. The second (CVE-2025-55184, medium severity) allows attackers to view the source code of your server actions.
Which versions of React and Next.js are affected?
The vulnerabilities impact React packages like `react-server-dom-webpack` versions 19.0.0 through 19.2.0. Frameworks using React Server Components, most notably Next.js, are affected. Users are urged to update to the latest patched versions immediately.
How do I fix these React exploits?
The primary fix is to update your React dependencies, specifically packages related to React Server Components, to the latest versions released on or after December 11, 2025. Vercel has also deployed mitigations for Next.js users on their platform.
Are these new exploits related to the previous RCE vulnerability (React2Shell)?
Yes, they were discovered by security researchers while testing the patches for the original RCE flaw (CVE-2025-55182). They exploit a similar attack vector via the 'Flight' protocol but do not reintroduce the remote code execution risk.