Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 12 December 2025 08:04
The React Server component security saga continues this week.
Following the patching of a critical remote code execution (RCE) vulnerability that led to React2shell, researchers have discovered two new vulnerabilities. While less serious than the previous ones, these vulnerabilities pose significant risks, including the possibility of denial-of-service (DoS) attacks that can cause server crashes and expose sensitive source code.
Affected versions include versions 19.0.0 through 19.0.2, versions 19.1.0 through 19.1.2, and versions 19.2.0 through 19.2.2. Developers are advised to update to the correct versions as soon as they are released:
Basically, these vulnerabilities have a wide range of action.
Even if your application is vulnerable to certain server functions, it’s potentially vulnerable, even without using them. “Even if your app doesn’t implement any React Server Function endpoints, it could still be vulnerable if it supports React Server Components,” security researchers warn .
The most pressing issue, with a CVSS severity of 7.5, concerns a vulnerability that could bring a server to its knees. Identified as CVE-2025-55184 and CVE-2025-67779, this flaw allows an attacker to trigger an infinite loop on the server by sending a specific malicious HTTP request. According to the advisory, the loop consumes the server’s CPU, effectively blocking its resources.
The second vulnerability, CVE-2025-55183, has a CVSS severity of 5.3 and is a medium severity issue that affects the confidentiality of application code. It has been found that under specific circumstances, a malicious request can trick a server function into providing its source code to the attacker . According to the advisory, a security expert found that sending a malicious HTTP request to a vulnerable server function could result in the insecure return of the source code of any server function.
To carry out the attack, a particular coding pattern is required, in which a server-side function explicitly or implicitly exposes a parameter as a string. If exploited, it could lead to the discovery of crucial logical information or database keys internally attached to the function’s code.
The React team explicitly confirmed that these new bugs will not reopen the door to full server takeover. “These new vulnerabilities do not allow remote code execution. The React2Shell patch remains effective in mitigating the remote code execution exploit.”
The team urges you to update as soon as possible, as the recently discovered vulnerabilities are of significant severity.
Redazione