Denial of service and source code exposure in React Server Components

Summary

December 11, 2025 by The React Team Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability.These new vulnerabilities do not allow for Remote Code Execution. The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit. The new vulnerabilities are disclosed as: These issues are present in the patches published last week. We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities. NoteIt’s common for critical CVEs to uncover follow‑up vulnerabilities. When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.This pattern shows up across the industry, not just in JavaScript. For example, after Log4Shell, additional CVEs (1, 2) were reported as the community probed the original fix.Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle. Further details of these vulnerabilities will be provided after the rollout of the fixes are complete. Immediate Action Required These vulnerabilities are present in the same packages and versions as CVE-2025-55182. This includes versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of: Fixes were backported to versions 19.0.2, 19.1.3, and 19.2.2. If you are using any of the above packages please upgrade to any of the fixed versions immediately. As before, if your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. NoteThe patches published last week are vulnerable. If you already updated for the Critical Security Vulnerability, you will need to update again. Affected frameworks a...