Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
CVE-2025-55183 and CVE-2025-55184 in React RSC: DoS and Source Code Leak Risks After React2Shell
Advertisements

React Server Components (RSC) are again in the spotlight after the disclosure of two additional vulnerabilities, CVE-2025-55183 and CVE-2025-55184. These issues emerged during analysis of the response to React2Shell, the maximum-severity vulnerability tracked as CVE-2025-55182. While the earlier flaw was associated with remote code execution in vulnerable React deployments, the newly identified issues do not enable RCE. Instead, they introduce the risk of denial-of-service conditions and, in one case, source code disclosure.

According to the React team, the original fixes for CVE-2025-55182 blocked the remote code execution path, but follow-on review revealed additional security problems in the same RSC area. The newly published vulnerabilities affect the same RSC packages and versions as CVE-2025-55182, and updates are available in versions 19.0.3, 19.1.4, and 19.2.3.

What CVE-2025-55183 and CVE-2025-55184 Affect

CVE-2025-55183 and CVE-2025-55184 are React Server Components issues that were identified after the initial React2Shell disclosure. They were discovered while researchers examined the effectiveness of the first patches and confirmed that the new flaws do not reopen the RCE vector associated with CVE-2025-55182. Even so, both vulnerabilities can still disrupt affected applications in serious ways.

CVE-2025-55184 is a denial-of-service issue tied to unsafe deserialization in Server Function request handling. The source material states that this behavior can trigger an infinite loop and effectively hang the server. CVE-2025-55183 is a separate issue that can allow specially crafted requests to leak Server Function source code under specific conditions.

Severity and Security Impact

The source material notes that the new issues carry measurable risk even though they do not allow remote code execution. CVE-2025-55184 and CVE-2025-67779 are described as denial-of-service flaws with a CVSS score of 7.5, while CVE-2025-55183 is described as a source code disclosure issue with a CVSS score of 5.3. The excerpt also notes that CVE-2025-67779 addresses an incomplete fix for CVE-2025-55184 and has the same security impact.

For defenders, the main concern is that these vulnerabilities can still affect application availability and confidentiality. A server hang caused by an infinite loop can interrupt service, while source code disclosure may expose implementation details that are not intended to be public.

Key Facts Security Teams Should Know

  • The issues were found during analysis of patches related to CVE-2025-55182, also known as React2Shell.
  • CVE-2025-55183 can leak Server Function source code under specific conditions.
  • CVE-2025-55184 can lead to denial of service through unsafe deserialization in Server Function request handling.
  • These vulnerabilities affect the same RSC packages and versions as CVE-2025-55182.
  • Fixed versions are 19.0.3, 19.1.4, and 19.2.3.

Why These Follow-On Findings Matter

The React team notes that follow-on disclosures are a common outcome after major vulnerabilities. In this case, the initial exploitation wave around React2Shell led to further scrutiny of React Server Components and the discovery of additional flaws. The source material does not confirm a broader root cause beyond the unsafe deserialization issue identified for CVE-2025-55184, and it does not state a root cause for the source code disclosure problem in CVE-2025-55183.

Security teams using affected React deployments should prioritize patching to the fixed versions and assess exposure to the newly disclosed RSC issues. The combination of service disruption risk and potential source code leakage makes these vulnerabilities important to address promptly.

Conclusion

CVE-2025-55183 and CVE-2025-55184 expand the security impact of the React2Shell aftermath without enabling remote code execution. One flaw can hang servers through an infinite loop, and the other can disclose Server Function source code. Organizations running affected React Server Components versions should move to the available fixed releases as soon as possible.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading