React2Shell Saga Continues: New DoS Flaw & Source Code Leak Discovered in React Server Components

The long-running React2Shell saga—which has continued to disrupt many web projects—has taken another turn: it has emerged that the original fix was incomplete. A deeper review uncovered two additional vulnerabilities in the React Server Components implementation and assigned a separate identifier to the earlier shortcoming.

Liz Herder of the Vercel team reported that the newly identified issues include a high-severity denial-of-service flaw (CVE-2025-55184) and a medium-severity vulnerability that allows attackers to retrieve compiled Server Actions source code (CVE-2025-55183). Neither issue enables remote code execution. It was also noted that the initial React2Shell patch failed to fully mitigate denial-of-service attacks across all workload types, leading to the assignment of CVE-2025-67779.

In the case of CVE-2025-55184, an attacker can send a specially crafted HTTP request to any App Router endpoint, causing the server process to stall during deserialization and consume excessive CPU resources. CVE-2025-55183 allows a crafted request to expose compiled Server Actions code, potentially revealing business logic, though secrets should remain protected unless they were hard-coded directly into the source.

The vulnerabilities affect versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 of the react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack packages. These components are used by Next.js (branches 13.x, 14.x, 15.x, and 16.x) and may also appear in other frameworks and plugins that embed or depend on the React Server Components implementation.

To mitigate risk, Vercel has introduced new rules and deployed them within the Vercel WAF, automatically protecting hosted projects at no additional cost. The company cautions, however, that a WAF alone is insufficient and strongly advises updating to patched versions as soon as possible. The issues have been resolved in React 19.0.2, 19.1.3, and 19.2.2, as well as in Next.js releases 14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 15.6.0-canary.60, 16.0.10, and 16.1.0-canary.19.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy