We're informing you about two additional vulnerabilities (CVE-2025-55184 and CVE-2025-55183) identified in the React Server Components (RSC) implementation, affecting frameworks such as Next.js.
The React2Shell incident sparked community research into React Server Components, and these vulnerabilities were discovered by an external security researcher through Vercel and Meta's bug bounty program. We're grateful for this community effort.
There is no evidence these vulnerabilities have been exploited.
What we've found:
CVE-2025-55184 (High Severity – Denial of Service): A malicious HTTP request sent to any App Router endpoint can, when deserialized, cause the server process to hang and consume CPU. This impacts all versions handling RSC requests. The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779.
CVE-2025-55183 (Medium Severity – Source Code Exposure): A malicious HTTP request sent to any App Router endpoint can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into a Server Action's code.
Update your applications to the latest patched version
Even customers who have patched against React2Shell need to upgrade to the latest version. Updates to React2Shell will continue to be posted in the React2Shell Security Bulletin.
Visit the latest Security Bulletin to learn more and for guidance on automated fixes.
We will continue to monitor for emerging risks and remain committed to transparent, timely disclosures.
My learnings from Davos
I just got back from Davos. For all its polish, the conversations were very real.
A Message from Andrew Feldman, Founder and CEO
Greetings friends and supporters. It's Andrew.
From now on, I'm going to send you the occasional email when I have something worth sharing.
I just got back from Davos. For all its polish, the conversations were very real.
In side rooms and late dinners, global leaders kept c...
Viva Las Cerebras! A special offer for AWS re:Invent
Join us for exclusive offers and events
Headed to AWS re:Invent in Las Vegas, December 1–5? There are no sure bets in Vegas, but the odds are stacked in your favor when you build on the world’s fastest AI infrastructure (20x faster than NVIDIA GPUs) through AWS Marketplace!
Here’s what you need to know:
The Offer: Don't step foot on the expo floor until you've tried the fastest frontier open models like GLM-4.6, OpenAI's GPT OSS 120B & more, powered by Cerebras Inference on AWS Marketplace — no new vendor approvals, no procurement, just use your existing account and pay-as-you-go. While s...
Comments
Post a Comment