React is fundamental for modern web applications. However, understanding and mitigating potential security risks is vital. Recently, several critical vulnerabilities have emerged, particularly impacting React Server Components (RSC), requiring immediate attention. This article outlines these issues and provides clear, actionable steps to secure your React applications.
Understanding the Latest React Vulnerabilities
The latest vulnerabilities primarily affect React 19 and frameworks using React Server Components, like Next.js, emphasizing secure deserialization and robust input validation.
CVE-2025-55182: React2Shell – Remote Code Execution (RCE)
What is the issue?
This critical vulnerability (CVSS score 10.0) is an unsafe deserialization flaw in the React Server Components “Flight” protocol. An unauthenticated attacker can craft a malicious HTTP request, leading to remote code execution on the server. This allows attackers to run arbitrary code without authentication, even if Server Function endpoints are not explicitly implemented but RSC is supported.
Affected Versions: React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 (including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack).
How to mitigate it?
Upgrade your React Server Components to versions 19.0.3, 19.1.4, or 19.2.3 or later for comprehensive protection.
CVE-2025-55184: Denial of Service (DoS)
What is the issue?
This high-severity DoS vulnerability allows an attacker to force React Server Component frameworks into an infinite recursion of nested Promises, freezing the server and taking it offline. This attack only requires the presence of a server capable of processing an RSC Server Action payload.
Affected Versions: React versions 19.0.0 through 19.2.1 and Next.js versions 13.x through 16.x are affected, specifically in react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack packages.
How to mitigate it?
Upgrade to React versions 19.0.3, 19.1.4, or 19.2.3 or later, as earlier patches were insufficient. Users who previously updated for React2Shell must update again.
CVE-2025-55183: Source Code Exposure
What is the issue?
This medium-severity vulnerability can expose server-only source code. If a Server Function accepts an argument that undergoes string coercion without proper validation of its primitive type, an attacker could access sensitive backend source code, including API keys and other secrets.
Affected Versions: React versions 19.0.0 through 19.2.1 and Next.js versions 13.x through 16.x are impacted, involving react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack.
How to mitigate it?
Upgrade to React versions 19.0.3, 19.1.4, or 19.2.3 or later. Additionally, ensure Server Functions validate argument types to prevent unintended string coercion.
Conclusion
The recent vulnerabilities in React Server Components highlight the evolving nature of web security. Staying informed, promptly applying patches, and consistently adhering to security best practices are essential for protecting your applications and users. By taking these steps, you can build more resilient and secure React applications that stand strong against evolving threats.
Further Reading
To deepen your understanding of React security and stay ahead of potential threats, we recommend exploring the following resources. These articles and advisories provide additional insights into general security best practices and detailed analyses of specific vulnerabilities in the React ecosystem.
- Critical Security Vulnerability in React Server Components: This official React blog post provides in-depth details about CVE-2025-55182 and the immediate actions required.
- Next.js Security Update: CVE-2025-66478 and CVE-2025-55182 Impact: Learn how the recent critical vulnerability, including DoS and Source Code Exposure flaws, impacts Next.js applications and the necessary upgrade steps.
- React2Shell (CVE-2025-55182): Critical React Vulnerability: Wiz Blog provides an analysis of the React2Shell vulnerability, explaining its nature and potential impact on cloud environments.