A few days after our original post on the critical React vulnerability known as React2Shell (read it here: React CVE High Alert), the security landscape shifted again.

React’s team has published a follow‑up advisory describing two new vulnerabilities in React Server Components, and Vercel has confirmed these affect React, Next.js, and related frameworks. These aren’t the same as React2Shell, but they’re just as important to address.

What’s New: Denial of Service and Source Code Exposure

According to the official React security update on denial of service and source exposure, two additional vulnerabilities were discovered while analyzing and patching React2Shell:

• - CVE‑2025‑55184: High severity denial of service, a specially crafted request can cause the server to hang and consume CPU indefinitely

• - CVE‑2025‑55183: Medium severity source code exposure, under certain conditions, a server function might leak its compiled source, potentially revealing logic or even sensitive data

Importantly, these do not allow remote code execution in the way React2Shell does. But they are real risks in production environments: outages and information leaks can be just as damaging.

React and Vercel both emphasize that these vulnerabilities were found while studying the RSC patch and that the original React2Shell patch does not automatically protect against them. You must update to the latest patched versions to cover these new CVEs.

Who Is Affected

If your app meets any of the following, you are likely impacted:

• - Uses React Server Components (either directly or via a framework)

• - Runs a Next.js App Router (Next.js 13.x through 16.x)

• - Includes any of the RSC packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack)

Even if you previously patched for React2Shell, older “patched” versions may still leave you vulnerable to these follow‑ups.

Recommended Immediate Actions

Vercel confirms in its security bulletin covering CVE‑2025‑55184 and CVE‑2025‑55183 that:

• - Multiple Next.js versions are affected, including App Router setups

• - Patching for React2Shell alone is not sufficient

• - Projects must upgrade again to cover these newly identified issues

In other words: if you patched last week and stopped there, you are likely still exposed.

What you should do now:

1. - Re‑audit your dependencies.
   Just upgrading for React2Shell wasn’t enough. Confirm the very latest versions of RSC packages and Next.js are in use.

2. - Upgrade to the latest patches.
   React and Next.js fixes are published in updated package versions covering both the new denial‑of‑service and source exposure CVEs. Make sure your lockfiles reflect the updated release line.

3. - Validate your runtime.
   Static upgrades are only one layer. Run runtime vulnerability scanners to verify that the vulnerable deserialization paths are no longer reachable.

4. - Assess your exposure surface.
   Even if you don’t use server functions explicitly, framework defaults may still expose these code paths.

Why This Matters

React2Shell taught us that critical deserialization bugs can give attackers full server takeover. These new issues aren’t remote code execution, but they still affect:

• - Availability: an attacker can take your server offline without authentication

• - Confidentiality: source functions might be exposed, which can reveal proprietary logic

In a world where uptime and data safety are business requirements, both classes of flaws merit action. This follow‑up also highlights a pattern you should build into your engineering mindset:

Security isn’t a single patch. It’s an ongoing process.
Patch, re‑scan, validate, and repeat.

How We’re Responding at DWS

In addition to our initial React2Shell remediation efforts, we are now:

• - Ensuring all managed projects update to versions covering the new CVEs

• - Re‑scanning dependency graphs after every security release

• - Reinforcing CI/CD with vulnerability feeds that catch follow‑ups like these

Patching once is not enough. Security evolves, and so should your pipeline.

Takeaway

React2Shell was a wake‑up call. These two new vulnerabilities are a reminder that patching is iterative, not one‑and‑done.

If you patched earlier but haven’t revisited your dependency footprint since then, you are likely still at risk.

You don’t want outages. You don’t want leaks. And you don’t want surprise CVEs cropping up in library internals without you noticing.

If you need help auditing or upgrading your React/Next.js stack, we can help.

👉 Book a call with us and let’s shore up your app before the next wave hits.