December 11, 2025 by The React Team
Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. These new vulnerabilities do not allow for Remote Code Execution. The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit.
The new vulnerabilities are disclosed as:
Denial of Service - High Severity : CVE-2025-55184 (CVSS 7.5)
: CVE-2025-55184 (CVSS 7.5) Source Code Exposure - Medium Severity: CVE-2025-55183 (CVSS 5.3)
We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.
Note The patches published last week are vulnerable. If you already updated for the Critical Security Vulnerability, you will need to update again. Please see the instructions in the previous post for upgrade steps.
Further details of these vulnerabilities will be provided after the rollout of the fixes are complete.
Immediate Action Required
These vulnerabilities are present in the same packages and versions as CVE-2025-55182.
... continue reading