New React vulns leak secrets, invite DoS attacks

Steven

New React vulns leak secrets, invite DoS attacks

Summary

New vulnerabilities in React Server Components (RSC) have been disclosed that let attackers cause high-severity denial-of-service conditions and, in some setups, expose hardcoded source secrets. The issues — tracked as CVE-2025-55184 and CVE-2025-67779 (DoS, CVSS 7.5) and CVE-2025-55183 (source-code/secret exposure, CVSS 5.3) — were found while researchers probed the patch for the earlier critical React2Shell RCE (CVE-2025-55182).

React says specially crafted HTTP requests can force server functions into infinite loops that hang processes and consume CPU. The secrets-leak bug requires a specific server function pattern that converts an argument to string form and can reveal hardcoded values in source; runtime environment secrets (eg process.env.*) are not affected. The flaws exist across multiple react-server-dom packages and in the same versions affected by React2Shell; previously released fixes are incomplete, so apps updated last week may still be vulnerable and must be updated again.

Key Points

  • Three new CVEs affect React Server Components: two DoS (CVE-2025-55184, CVE-2025-67779) and one source-code/secret exposure (CVE-2025-55183).
  • DoS bugs can be triggered by a crafted HTTP request that causes an infinite loop in server function handling, hanging the server and wasting CPU.
  • The secrets-leak vulnerability can expose hardcoded secrets in source code if a particular server function argument is converted to a string; runtime env secrets are not impacted.
  • All three new CVEs affect the same react-server-dom packages/versions that were vulnerable to React2Shell (19.0.0–19.2.2 series); some earlier patches (eg 19.0.2, 19.1.3, 19.2.2) are incomplete.
  • Researchers credited: RyotaK and Shinsaku Nomura reported the DoS issues; Andrew MacPherson found the secrets-leak flaw.
  • React2Shell (CVE-2025-55182) remains under active exploitation with multiple intrusion clusters; many exposed servers remain unpatched and attackers — including state-linked groups — have been observed abusing the earlier flaw.
  • Security firms warn this incident echoes Log4Shell-era urgency: wide impact, fast exploitation, and potential for follow-on attacks such as ransomware or miner deployments.

Context and relevance

This follows the very recent React2Shell crisis: an RCE in React server-side packages that has been actively exploited. The new DoS and secrets-leak bugs broaden the risk profile for any organisation using React Server Components or frameworks that bundle the affected react-server-dom packages. Given the active exploitation history and incomplete prior patches, operators and developers should treat this as a priority patching and mitigation task.

Why should I read this?

Because if your app uses React Server Components or those react-server-dom packages, this is the kind of mess you don’t want to wake up to: servers hanging, secrets leaked from source, and attackers already prowling. TL;DR — patch now, check versions, and verify fixes.

Author’s take

Punchy and blunt: this is high-stakes and time-sensitive. React2Shell already showed how fast attackers move; these follow-ups mean “updated last week” isn’t good enough. If you manage web services, stop whatever non-critical task you’re doing and confirm your react-server-dom packages are on the fully fixed releases.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/12/new_react_secretleak_bugs/