# React's/Next.js Worst Week Ever! Just Got Worse

If you're a React/Next.js developer who diligently updated your packages last week after the critical [React2Shell vulnerability (CVE-2025-55182)](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components), I have some frustrating news: **you need to update again.**

Security researchers, while probing the patches from last week's critical Remote Code Execution fix, discovered two additional vulnerabilities lurking in the same code paths.

The good news? These new vulnerabilities don't allow Remote Code Execution. The bad news? They're still serious enough to warrant immediate action.

## What's New: Two More CVEs

### 1\. Denial of Service (CVE-2025-55184) - High Severity

A malicious HTTP request can trigger an infinite loop when deserialized by React, hanging your server process and consuming CPU. Even if you don't explicitly implement Server Functions, your app may still be vulnerable if it supports React Server Components.

### 2\. Source Code Exposure (CVE-2025-55183) - Medium Severity

A crafted request to a vulnerable Server Function can leak its source code, including any hardcoded secrets. If you've got database connection strings, API keys, or credentials directly in your 'use server' functions (instead of environment variables), they could be exposed.

Are You Affected?

**You're safe if:**

* Your React app is purely client-side (no server)
    
* You don't use a framework/bundler that supports React Server Components
    

**You're vulnerable if you use these packages:**

* react-server-dom-webpack
    
* react-server-dom-parcel
    
* react-server-dom-turbopack
    

**Or these frameworks:**

* Next.js
    
* React Router
    
* Waku
    
* @parcel/rsc
    
* @vitejs/plugin-rsc
    
* rwsdk (RedwoodJS)
    

**Vulnerable versions:**

19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2

## Step-by-Step Fix

### **Next.js**

All users should upgrade to the latest patched version in their release line:

```bash
npm install next@14.2.35  // for 13.3.x, 13.4.x, 13.5.x, 14.x
npm install next@15.0.7   // for 15.0.x
npm install next@15.1.11  // for 15.1.x
npm install next@15.2.8   // for 15.2.x
npm install next@15.3.8   // for 15.3.x
npm install next@15.4.10  // for 15.4.x
npm install next@15.5.9   // for 15.5.x
npm install next@16.0.10  // for 16.0.x

npm install next@15.6.0-canary.60   // for 15.x canary releases
npm install next@16.1.0-canary.19   // for 16.x canary releases
```

If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`.

If you are on `next@14.3.0-canary.77` or a later Canary release, downgrade to the latest stable 14.x release:

```bash
npm install next@14
```

### **React Router**

If you are using React Router’s unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:

```bash
npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest
```

## Key points to remember:

* The source code exposure vulnerability can leak secrets **hardcoded in the source code**. Audit any `'use server'` functions and ensure you're using environment variables (`process.env.SECRET`) rather than inline secrets, runtime env vars are not exposed.
    
* If you updated last week for the critical RCE vulnerability, you need to update again
    
* Hosting providers like Vercel have temporary mitigations, but don't rely on them
    
* React Native users only need to update if using these specific RSC packages in a monorepo
    

---

## [Learn more about these vulnerabilities in detail here.](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)

---

**Access The Ultimate React Ebooks Collection By Clicking The Image Below👇**

[**Download The Complete Redux Toolkit Ebook Here**](https://www.dropbox.com/scl/fi/vnszyiunuk62xkspjf09k/12_Redux-Toolkit_Getting_Started.pdf?rlkey=yqrxqjfsqo7wbz8p7vka4ub63&st=s024jf7j&dl=0)

[**Download The useReducer Hook Ebook He**](https://www.dropbox.com/scl/fi/xdmakhu6sxc2np4wkw8yv/React_Fundamentals_useReducer_Hook.pdf?rlkey=ygyt0febc580j3d3guvyifnpy&st=5zb2mpr2&dl=0)

[![React Ebooks Collection](https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdt00waa0e5sb77xdckwz.png align="left")](https://courses.yogeshchavan.dev/the-ultimate-react-ebooks-components-hooks-redux-routing-and-more)

* [**Check Out All My Courses**](https://courses.yogeshchavan.dev/)
    
* [**Follow Me On LinkedIn For Regular Updates**](https://www.linkedin.com/in/yogesh-chavan97/)
    
* [**GitHub**](https://github.com/myogeshchavan97)
