Netcrook Logo
👤 WARDRIVERZERO
🗓️ 12 Dec 2025  

React Server in the Crosshairs: New Vulnerabilities Threaten Uptime and Confidentiality

Subtitle: Recent flaws in React Server expose applications to DoS attacks and accidental source code leaks, prompting urgent updates.

Just when developers thought the storm had passed after the notorious React2Shell incident, React Server is again under fire. A fresh pair of critical vulnerabilities has surfaced, threatening to disrupt services and compromise sensitive code. For organizations relying on React Server, the clock is ticking to patch up before attackers strike.

The Vulnerabilities Unpacked

Security researchers have identified two major vulnerabilities in React Server, following closely on the heels of a previous Remote Code Execution (RCE) scare. While these new flaws don’t allow attackers to seize total control, they pack a punch in other ways.

The first and most urgent issue, tracked as CVE-2025-55184 and CVE-2025-67779 (CVSS score: 7.5), allows a remote attacker to send a specially crafted HTTP request that forces the server into an infinite loop. The result? The server’s CPU is maxed out, effectively locking out legitimate users and grinding services to a halt - a textbook Denial of Service (DoS) attack. Even applications that don’t actively use React Server Functions may be vulnerable if they support React Server Components, significantly widening the attack surface.

The second vulnerability, CVE-2025-55183 (CVSS 5.3), is less severe but still concerning. Under certain coding patterns, an attacker can trick the server into disclosing its own source code. By exploiting functions that expose parameters as strings, a malicious request can cause the server to return the underlying code of its functions. In worst-case scenarios, this could reveal business logic, security mechanisms, or even embedded database keys - critical intelligence for any would-be attacker.

The React team has been quick to reassure the community that these bugs do not reopen the door to remote code execution. The fixes for React2Shell, a previous high-profile exploit, remain effective. Still, the urgency of the new patches cannot be overstated: even without RCE, service disruption and code leaks pose serious risks to businesses and users alike.

What Should Developers Do?

Developers are strongly advised to upgrade to the latest React Server versions (19.0.3, 19.1.4, or 19.2.3) without delay. The vulnerabilities affect a broad range of deployments, and exploitation requires nothing more than a malicious HTTP request. With exploit details now public, the window for attackers to act is wide open.

As the landscape of web application security becomes ever more complex, the React Server saga is a stark reminder: even the most trusted frameworks can harbor dangerous flaws. Vigilance, timely patching, and a strong security culture remain essential defenses in the ongoing battle for digital safety.

WIKICROOK Glossary

Denial of Service (DoS)
An attack that overwhelms a server or network, making it unavailable to legitimate users.
CVSS
Common Vulnerability Scoring System, a standardized method for rating the severity of security vulnerabilities.
Remote Code Execution (RCE)
A critical vulnerability that allows attackers to run arbitrary code on a target system from a remote location.
React Server Components
Parts of a React application that are rendered on the server side, often used to improve performance and security.
Source Code Disclosure
An incident where an application’s underlying code is unintentionally exposed, potentially revealing sensitive information.
React Server Vulnerabilities DoS attacks
WARDRIVERZERO WARDRIVERZERO
Mobile & Wireless Red Teamer
← Back to news