If you're running React Server Components, you just can't catch a break. In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server Function source code, so anyone using RSC or frameworks that support it should patch quickly.

The latest vulnerabilities - two high-severity denial-of-service bugs tracked as CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5), and a source-code exposure flaw tracked as CVE-2025-55183 (CVSS 5.3) - were found by security researchers attempting to poke holes in the patch for the earlier maximum-severity React flaw that is under active exploitation .

CVE-2025-55182 , the React server-side vulnerability dubbed "React2Shell" disclosed and patched on December 3, allows for remote code execution (RCE

See Full Page