Friday, December 12th 2025 · 2 min read
React DoS & Source Code Exposure - Starter Kits Updated
Two new React Server Components vulnerabilities discovered. All Achromatic starter kits updated to patched versions.
Just days after the critical React2Shell vulnerability, security researchers have discovered two additional vulnerabilities in React Server Components while probing the original patches.
We've updated all Achromatic starter kits to the latest patched versions.
What's new?
The React team disclosed two new vulnerabilities on December 11th:
- Denial of Service (High Severity): CVE-2025-55184 and CVE-2025-67779 - CVSS 7.5
- Source Code Exposure (Medium Severity): CVE-2025-55183 - CVSS 5.3
These do not allow Remote Code Execution like React2Shell. However, they can still cause significant harm to your applications.
Denial of Service (CVE-2025-55184 & CVE-2025-67779)
A malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, causes an infinite loop that hangs the server process and consumes CPU.
Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if it supports React Server Components.
Source Code Exposure (CVE-2025-55183)
A malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. This can leak secrets that are hardcoded in source code.
'use server';export async function serverFunction(name) { const conn = db.createConnection('SECRET KEY'); // Could be leaked! const user = await conn.createUser(name); return { id: user.id, message: `Hello, ${name}!` };}Runtime secrets like process.env.SECRET are not affected - only secrets hardcoded in your source code.
Previous patches are incomplete
If you updated to React 19.0.2, 19.1.3, or 19.2.2 after the React2Shell disclosure, you need to update again. Those patches were incomplete and still vulnerable to these new attacks.
The safe versions are 19.0.3, 19.1.4, and 19.2.3.
What we've done
All Achromatic starter kits have been updated to the latest patched versions:
What you should do
New projects
Clone any of our starter kits. They're already running the patched versions.
Existing projects
Update your dependencies immediately:
pnpm install next@latest react@latest react-dom@latestOr use the official codemod:
npx @next/codemod@canary upgrade latestVerify your React packages are at version 19.0.3, 19.1.4, or 19.2.3 or higher.
Why follow-up CVEs happen
When a critical vulnerability is disclosed, security researchers scrutinize adjacent code paths looking for variant exploit techniques. This is common across the industry - after Log4Shell, multiple additional CVEs were reported as the community probed the original fix.
Additional disclosures can be frustrating, but they're a sign of a healthy security response cycle.
Resources
- React Blog: Denial of Service and Source Code Exposure
- CVE-2025-55183 (Source Code Exposure)
- CVE-2025-55184 (DoS)
- CVE-2025-67779 (DoS)
Related
- React2Shell Security Patch - Next.js 16.0.7 - Read about the original critical vulnerability
Looking for a secure foundation for your SaaS? Our starter kits are always kept up-to-date with the latest security patches.
Stay secure!