React's/Next.js Worst Week Ever! Just Got Worse

If you're a React/Next.js developer who diligently updated your packages last week after the critical React2Shell vulnerability (CVE-2025-55182), I have some frustrating news: you need to update again.

Security researchers, while probing the patches from last week's critical Remote Code Execution fix, discovered two additional vulnerabilities lurking in the same code paths.

The good news? These new vulnerabilities don't allow Remote Code Execution. The bad news? They're still serious enough to warrant immediate action.

What's New: Two More CVEs

1. Denial of Service (CVE-2025-55184) - High Severity

A malicious HTTP request can trigger an infinite loop when deserialized by React, hanging your server process and consuming CPU. Even if you don't explicitly implement Server Functions, your app may still be vulnerable if it supports React Server Components.

2. Source Code Exposure (CVE-2025-55183) - Medium Severity

A crafted request to a vulnerable Server Function can leak its source code, including any hardcoded secrets. If you've got database connection strings, API keys, or credentials directly in your 'use server' functions (instead of environment variables), they could be exposed.

Are You Affected?

You're safe if:

Your React app is purely client-side (no server)
You don't use a framework/bundler that supports React Server Components

You're vulnerable if you use these packages:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

Or these frameworks:

Next.js
React Router
Waku
@parcel/rsc
@vitejs/plugin-rsc
rwsdk (RedwoodJS)

Vulnerable versions:

19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2

Step-by-Step Fix

Next.js

All users should upgrade to the latest patched version in their release line:

npm install next@14.2.35  // for 13.3.x, 13.4.x, 13.5.x, 14.x
npm install next@15.0.7   // for 15.0.x
npm install next@15.1.11  // for 15.1.x
npm install next@15.2.8   // for 15.2.x
npm install next@15.3.8   // for 15.3.x
npm install next@15.4.10  // for 15.4.x
npm install next@15.5.9   // for 15.5.x
npm install next@16.0.10  // for 16.0.x

npm install next@15.6.0-canary.60   // for 15.x canary releases
npm install next@16.1.0-canary.19   // for 16.x canary releases

If you are on version 13.3 or later version of Next.js 13 (13.3.x, 13.4.x, or 13.5.x) please upgrade to version 14.2.35.

If you are on next@14.3.0-canary.77 or a later Canary release, downgrade to the latest stable 14.x release:

npm install next@14

React Router

If you are using React Router’s unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:

npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest

Key points to remember:

The source code exposure vulnerability can leak secrets hardcoded in the source code. Audit any 'use server' functions and ensure you're using environment variables (process.env.SECRET) rather than inline secrets, runtime env vars are not exposed.
If you updated last week for the critical RCE vulnerability, you need to update again
Hosting providers like Vercel have temporary mitigations, but don't rely on them
React Native users only need to update if using these specific RSC packages in a monorepo