Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
Echoes of React2Shell: Pandora’s Box Has Been Opened
Published: 18:06 12/13/2025
Podatności
We barely had time to cool down after the critical React2Shell error (the one with a "ten" on the CVSS scale that I wrote about earlier), and Vercel is sending notifications that are ruining our weekend coffee again.
In the security world, there is a phenomenon I call the "Flashlight Effect." When a massive hole appears in a large, popular codebase (like Next.js or React), thousands of security researchers suddenly point their beams of light right at it. Everyone wants to find "the other" vulnerability. And you know what? They just found it. Or actually – they found two.
Here is what you need to know about the new CVEs that surfaced on December 12th, and why your previous update isn't enough.
What was found in the rubble?
The collective effort of the Bug Bounty community (a collaboration between Vercel and Meta) revealed that the problem with React Server Components (RSC) runs deeper than we thought. We are dealing with two new actors on the stage:
1. CVE-2025-55184: The Loop of Death (Denial of Service)
Severity: High
This is a classic DoS attack, but with a modern twist. A malicious HTTP request sent to an App Router endpoint can cause the server process to hang, consuming 100% CPU. This happens during data deserialization. Interestingly, the bulletin mentions that the first fix for this bug was incomplete (which resulted in another number, CVE-2025-67779). This shows just how complicated this material is – even framework creators need a few tries to close the door properly.
2. CVE-2025-55183: Code Exhibitionism (Source Code Exposure)
Severity: Medium
Here the matter is less destructive, but more embarrassing. A specially crafted request can force the server to return the compiled source code of Server Actions.
The good news? If you follow best practices and keep secrets (API keys, passwords) in environment variables (.env) rather than hardcoding them in .ts/.js files, you are relatively safe.
The bad news? The attacker gets to know your business logic. They see how you validate data, what your edge cases are – and that is a perfect map for planning further attacks.
Why is this important?
First: Scope. The problem affects React 19 (versions 19.0.0 to 19.2.1) and Next.js (from versions 13.x all the way to the newest 16.x). If you use the App Router, you are in the crosshairs.
Second: A false sense of security. Many admins breathed a sigh of relief after patching React2Shell. However, Vercel's message is brutally clear:
"Even customers who have patched against React2Shell need to upgrade to the latest version."
This is not an optional optimization patch. It is a necessity.
A reflection for the weekend
What we are witnessing is the growing pains of React Server Components. Moving rendering logic to the server has blurred the line between frontend and backend, creating new attack vectors that we are just learning about.
Remember the principle of limited trust. Frameworks do a lot of magic for us, but when the magic fails, we are left with our hands in... the server logs.
What to do?
- Don't wait until Monday. Update
nextandreactto the latest versions (patched as of December 12th). - Audit your code for hardcoded secrets – CVE-2025-55183 does not forgive laziness.
- If you host on Vercel – check the dashboard, but for peace of mind, trigger a redeploy.
Have a safe (and hopefully, finally quiet) weekend.
Aleksander
FAQ
Is the React2Shell update (CVE-2025-56546) enough to be safe?
No. These new vulnerabilities (CVE-2025-55184 and CVE-2025-55183) are separate and require an additional update to Next.js and React versions patched on December 12, 2024. Even if you applied the previous patch, you need to update again.
Which Next.js versions are affected?
The problem affects Next.js versions from 13.x to the latest 16.x that use the App Router and React Server Components. The Pages Router is not vulnerable to these specific CVEs.
Are my API secrets safe after CVE-2025-55183?
If you store API keys, passwords, and other secrets in environment variables (.env) instead of hardcoding them in your code, they are safe. However, attackers can see the business logic of your Server Actions, which can help in planning further attacks.
Sources:
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Podatności
React and Next.js Under Fire: Critical RCE Vulnerability (CVSS 10.0!)
A critical vulnerability has been detected in React Server Components (CVE-2025-55182). The flaw allows for Remote Code Execution and received a maximum severity score of 10/10.
05.12.2025
4 min
Podatności
Cl0p Steals Data Through Oracle Vulnerability – Is Your Company Next in Line?
The Cl0p ransomware group exploited a zero-day in Oracle E-Business Suite (CVE-2025-61882), stealing data from multiple companies in August. Oracle just released a patch, but experts warn: check your systems now, as attacks continue.
06.10.2025
4 min
Podatności
HTTP/2: A New Vulnerability Threatens the Entire Internet
A new critical vulnerability in the HTTP/2 protocol, dubbed "CONTINUATION Flood," has been discovered. It allows for powerful DDoS attacks that can paralyze servers worldwide.
04.10.2025
5 min
Comments
Loading comments...