This post by OX Research team was published on Dec 12, 2025
CVE-2025-55184, CVE-2025-67779, CVE-2025-55183 affect React 19.0.0-19.2.2 – including the fixed versions of React2Shell
TL;DR
Three new critical vulnerabilities have been discovered in React Server Components (RSC) affecting React versions 19.0.0 through 19.2.2. CVE-2025-55184 and CVE-2025-67779 enable denial of service attacks, while CVE-2025-55183 exposes backend source code, potentially leaking API keys and secrets.
Organizations that patched for React2Shell are still vulnerable and must update immediately to versions 19.0.3, 19.1.4, or 19.2.3. While these vulnerabilities don’t permit remote code execution like React2Shell, they pose significant risks to application availability and confidential information security.
Overview
Three new CVEs in React were disclosed – two allowing denial of service (CVE-2025-55184, CVE-2025-67779), and one allowing exposure of source code (CVE-2025-55183).While these vulnerabilities are highly critical, it’s important to note that they do not allow for RCE similar to React2Shell, but only for Denial of Service and source code exposure.
For a comprehensive technical breakdown of the original React2Shell exploit mechanics, see our deep-dive analysis of CVE-2025-55182.
Affected Packages
| Package name | Affected versions |
| React | 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 |
Fix Versions
| Package name | Affected versions |
| React | 19.0.3, 19.1.4, and 19.2.3. |
Who is affected
Any server running the unpatched version of React or or any package based on a vulnerable React component from the list below:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Impact
- Any application that uses React Server Components (RSC) in a vulnerable React version.
- Users who already updated for the React2Shell vulnerability are still affected and must update again, including the following versions of React:
- 19.0.0, 19.0.1, 19.0.2
- 19.1.0, 19.1.1, 19.1.2
- 19.2.0, 19.2.1, 19.2.2
Potential Damage
Two of the vulnerabilities are Denial of Service, meaning an attacker sending a crafted network request can cause the server to hang or stop working.
The 3rd vulnerability can expose source code from the backend side, causing information leakage and might even expose API keys and secrets if embedded inside the code directly.
Recommended Actions
Immediate Actions:
- Update your React and React Server Components to the fix version immediately
- Do this first for business critical applications, mostly internet facing, and holding valuable data such as company secrets, and proprietary business logic inside your source code.
Technical Analysis
While going over the React DoS vulnerability fix, we find a function inside the ReactFlightReplyServer code, which is in charge of server responses in an asynchronous way.
Inside the code, it handles chunks of incoming data, and inspects them, the logic error was that a large JSON file could be sent to the server, causing it to read the JSON parameters in a way that points to itself, causing the code to loop forever and making the server stop responding.
The code for the fix handles this case by checking if the loop ran for more than a 1000 times then exiting the loop instead of continuing the value inspection loop.
The source code leakage vulnerability (CVE-2025-55183) apparently was caused by attackers being able to call a “.toString” function over a server function object, this way the values of the server function source code were shown as strings and returned to the attacker.
As we can see inside the fix, the React JavaScript function for server references is overridden, so whenever the “toString” function is called, it returns an empty function string instead of the original server function code.
Conclusion
What happened: The React team has released urgent patches for three new security vulnerabilities in React Server Components (RSC), CVE-2025-55184, CVE-2025-67779 (Denial of Service), and CVE-2025-55183 (Source Code Exposure).
If you are using React or packages that rely on React Server Components, please update to a fixed version immediately. This includes the following react components:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Worried your environment was exposed? Contact us to validate your exposure and understand the impact.
