Last week the React Blog released information about React2Shell which made many applications vulnerable to Unauthenticated Remote Code Execution (RCE), you can read about this in our last blog post with steps on how to mitigate. It’s common when one vulnerability is identified that new issues subsequently are also found within the same codebase, this is usually through similar variants of the same issue type, or more eyes are now taking an interest due to the current public events.
The React Blog has followed up with two more vulnerabilities (CVE-2025-55184 and CVE-2025-55183) within react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. These vulnerabilities are not the same severity as the original, so while it is important to upgrade to the fixed versions, the impact of these vulnerabilities will be limited to specific configurations of applications. The first is a Denial of Service (DoS) vulnerability, which can cause the application to use up CPU resources in an infinite loop. The second is a source code disclosure that can leak sensitive information such as secrets if you are writing code inline to a server component.
NextJS also issued a blog with related issues due to depending on these libraries, and have recommendations on patching.
Key Facts
Patching for React2Shell does not protect you against these new issues, they were patched later.
React versions 19.0.2, 19.1.3, or 19.2.2 for React Server Components have released patch versions:
react-server-dom-parcel@19.0.2
react-server-dom-parcel@19.1.3
react-server-dom-parcel@19.2.2
react-server-dom-turbopack@19.0.2
react-server-dom-turbopack@19.1.3
react-server-dom-turbopack@19.2.2
react-server-dom-webpack@19.0.2
react-server-dom-webpack@19.1.3
react-server-dom-webpack@19.2.2
NextJS have been patched in versions:
next@15.0.6
next@15.1.10
next@15.2.7
next@15.3.7
next@15.4.9
next@15.5.8
next@15.6.0-canary.59
next@16.0.9
next@16.1.0-canary.17
Semgrep Supply Chain customers have detection rules included by default to detect these issues.
For Our Customers
Semgrep Supply Chain customers are protected from these two new vulnerabilities as well as the original React2Shell as of 2025-12-12T01:44:13+00:00. You can directly find any findings relating to the original React2Shell and these offsprings using this URL.
19.0.n | 19.1.n | 19.2.n | |||||||||
CVE | Issue | 19.0.0 | 19.0.1 | 19.0.2 | 19.1.0 | 19.1.1 | 19.1.2 | 9.1.3 | 19.2.0 | 19.2.1 | 19.2.2 |
CVE-2025-55182 | Remote Code Execution (RCE) | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ |
CVE-2025-55183 | Source Code Exposure | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ |
CVE-2025-55184 | Denial of Service (DoS) | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ✅ |
CVE-2025-55183: Source Code Disclosure
Source-code exposure is an issue where source-code might be exposed, this usually is considered critical issues if the source-code contains hardcoded credentials or other sensitive information. In the case of CVE-2025-55183 the exploitation requires two specific preconditions:
A Server Function must explicitly or implicitly expose a stringified argument that originated within its scope.
Sensitive data will be leaked if within the serverFunction code block.
It’s still better to patch, however the risk appears quite low for sensitive information to be leaked.
