New React vulns leak secrets, invite DoS attacks
(2025/12/12)
- Reference: 1765563810
- News link: https://www.theregister.co.uk/2025/12/12/new_react_secretleak_bugs/
- Source link:
If you're running React Server Components, you just can't catch a break. In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server Function source code, so anyone using RSC or frameworks that support it should patch quickly.
The [1]latest vulnerabilities - two high-severity denial-of-service bugs tracked as [2]CVE-2025-55184 and [3]CVE-2025-67779 (CVSS 7.5), and a source-code exposure flaw tracked as [4]CVE-2025-55183 (CVSS 5.3) - were found by security researchers attempting to poke holes in the patch for the earlier maximum-severity React flaw that [5]is under active exploitation .
[6]CVE-2025-55182 , the React server-side vulnerability dubbed "React2Shell" disclosed and patched on December 3, allows for [7]remote code execution (RCE) , and researchers are tracking at least 15 distinct intrusion clusters over the past 24 hours alone.
[8]
The high-severity, denial-of-service bugs (CVE-2025-55184 and CVE-2025-67779) can be exploited by sending a specially crafted HTTP request to any server function endpoint, causing an infinite loop that hangs the server process and consumes CPU.
[9]
[10]
"This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment," according to the React team.
Researchers [11]RyotaK and Shinsaku Nomura found and reported the DoS bugs to Meta, which created the open source library.
[12]
CVE-2025-55183, the medium-severity source-code exposure hole, requires the existence of a specific server function that explicitly or implicitly exposes an argument converted into a string format.
But assuming that exists, this vulnerability can be abused via a malicious HTTP request to leak secrets hardcoded in source code. Runtime secrets - such as process.env.SECRET - are not affected.
React credited [13]Andrew MacPherson with finding this secrets-leak flaw.
[14]Half of exposed React servers remain unpatched amid active exploitation
[15]Cloudflare blames Friday outage on borked fix for React2shell vuln
[16]Beijing-linked hackers are hammering max-severity React bug, AWS warns
[17]'Exploitation is imminent' as 39 percent of cloud environs have max-severity React hole
All three new CVEs exist in the same packages and versions as CVE-2025-55182. These are versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2 of [18]react-server-dom-webpack , [19]react-server-dom-parcel , and [20]react-server-dom-turbopack .
And it's worth noting that the earlier patched versions for React2Shell are still vulnerable to these new bugs.
[21]
"If you already updated for the Critical Security Vulnerability last week, you will need to update again," according to the Thursday security alert. "If you updated to 19.0.2, 19.1.3, and 19.2.2, [22]these are incomplete and you will need to update again."
More than 50 organizations across multiple sectors have been impacted by React2Shell, as of Wednesday, according to Palo Alto Networks' Unit 42, with [23]attackers from North Korea and China abusing the flaw.
In a Friday alert, security and cyber insurance shop Coalition (as other researchers have also noted) [24]likened React2Shell to the 2021 [25]Log4Shell vulnerability (CVE-2021-44228), which led to hundreds of ransomware attacks. ®
Get our [26]Tech Resources
[1] https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
[2] https://www.cve.org/CVERecord?id=CVE-2025-55184
[3] https://www.cve.org/CVERecord?id=CVE-2025-67779
[4] https://www.cve.org/CVERecord?id=CVE-2025-55183
[5] https://www.theregister.com/2025/12/12/vulnerable_react_instances_unpatched/
[6] https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
[7] https://www.theregister.com/2025/12/05/aws_beijing_react_bug/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://ryotak.net/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://github.com/AndrewMohawk
[14] https://www.theregister.com/2025/12/12/vulnerable_react_instances_unpatched/
[15] https://www.theregister.com/2025/12/05/react2shell_pocs_exploitation/
[16] https://www.theregister.com/2025/12/05/aws_beijing_react_bug/
[17] https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
[18] https://www.npmjs.com/package/react-server-dom-webpack
[19] https://www.npmjs.com/package/react-server-dom-parcel
[20] https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme
[21] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[22] https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components#additional-fix-published
[23] https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
[24] https://www.coalitioninc.com/blog/security-labs/react2shell-mobilization
[25] https://www.theregister.com/2023/12/11/log4j_vulnerabilities/
[26] https://whitepapers.theregister.com/
The [1]latest vulnerabilities - two high-severity denial-of-service bugs tracked as [2]CVE-2025-55184 and [3]CVE-2025-67779 (CVSS 7.5), and a source-code exposure flaw tracked as [4]CVE-2025-55183 (CVSS 5.3) - were found by security researchers attempting to poke holes in the patch for the earlier maximum-severity React flaw that [5]is under active exploitation .
[6]CVE-2025-55182 , the React server-side vulnerability dubbed "React2Shell" disclosed and patched on December 3, allows for [7]remote code execution (RCE) , and researchers are tracking at least 15 distinct intrusion clusters over the past 24 hours alone.
[8]
The high-severity, denial-of-service bugs (CVE-2025-55184 and CVE-2025-67779) can be exploited by sending a specially crafted HTTP request to any server function endpoint, causing an infinite loop that hangs the server process and consumes CPU.
[9]
[10]
"This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment," according to the React team.
Researchers [11]RyotaK and Shinsaku Nomura found and reported the DoS bugs to Meta, which created the open source library.
[12]
CVE-2025-55183, the medium-severity source-code exposure hole, requires the existence of a specific server function that explicitly or implicitly exposes an argument converted into a string format.
But assuming that exists, this vulnerability can be abused via a malicious HTTP request to leak secrets hardcoded in source code. Runtime secrets - such as process.env.SECRET - are not affected.
React credited [13]Andrew MacPherson with finding this secrets-leak flaw.
[14]Half of exposed React servers remain unpatched amid active exploitation
[15]Cloudflare blames Friday outage on borked fix for React2shell vuln
[16]Beijing-linked hackers are hammering max-severity React bug, AWS warns
[17]'Exploitation is imminent' as 39 percent of cloud environs have max-severity React hole
All three new CVEs exist in the same packages and versions as CVE-2025-55182. These are versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2 of [18]react-server-dom-webpack , [19]react-server-dom-parcel , and [20]react-server-dom-turbopack .
And it's worth noting that the earlier patched versions for React2Shell are still vulnerable to these new bugs.
[21]
"If you already updated for the Critical Security Vulnerability last week, you will need to update again," according to the Thursday security alert. "If you updated to 19.0.2, 19.1.3, and 19.2.2, [22]these are incomplete and you will need to update again."
More than 50 organizations across multiple sectors have been impacted by React2Shell, as of Wednesday, according to Palo Alto Networks' Unit 42, with [23]attackers from North Korea and China abusing the flaw.
In a Friday alert, security and cyber insurance shop Coalition (as other researchers have also noted) [24]likened React2Shell to the 2021 [25]Log4Shell vulnerability (CVE-2021-44228), which led to hundreds of ransomware attacks. ®
Get our [26]Tech Resources
[1] https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
[2] https://www.cve.org/CVERecord?id=CVE-2025-55184
[3] https://www.cve.org/CVERecord?id=CVE-2025-67779
[4] https://www.cve.org/CVERecord?id=CVE-2025-55183
[5] https://www.theregister.com/2025/12/12/vulnerable_react_instances_unpatched/
[6] https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
[7] https://www.theregister.com/2025/12/05/aws_beijing_react_bug/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://ryotak.net/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://github.com/AndrewMohawk
[14] https://www.theregister.com/2025/12/12/vulnerable_react_instances_unpatched/
[15] https://www.theregister.com/2025/12/05/react2shell_pocs_exploitation/
[16] https://www.theregister.com/2025/12/05/aws_beijing_react_bug/
[17] https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
[18] https://www.npmjs.com/package/react-server-dom-webpack
[19] https://www.npmjs.com/package/react-server-dom-parcel
[20] https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme
[21] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTyeh5UDMMRSFcaI87i9HAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[22] https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components#additional-fix-published
[23] https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
[24] https://www.coalitioninc.com/blog/security-labs/react2shell-mobilization
[25] https://www.theregister.com/2023/12/11/log4j_vulnerabilities/
[26] https://whitepapers.theregister.com/
Why use server side rendering, when is so much more risky than client side rendering?
One of the main reasons for using it is to make content on the publishers web application visible to search engines. In a traditional React app, the content you see in the browser is generated on the client (browser-side) after JavaScript executes. Search engine crawlers (e.g., Google, Bing) sometimes have trouble executing JavaScript to see the fully loaded page. With server side rendering, the fully-rendered HTML, including the critical content, is already generated on the server and sent to the client. This ensures that crawlers see the full content immediately. But that might also include user specific content the users would rather not share.
Also, When publishers share a URL on platforms like Facebook, Twitter, or LinkedIn, these platforms fetch metadata (like the page title, description, and image) to create a preview of the link. With client side rendering, the social media crawler might not detect them, resulting in a tragic broken or empty preview. in contrast server side rending populates the meta tags dynamically on the server, ensuring that crawlers fetch a complete, SEO-friendly page.