Home

Published

- 8 min read

React2Shell (Part 2): Surviving the New React DoS (CVE-2025-55184)

By William OGOU
CVE-2025-55184 DDoS React2Shell React Server Components Next.js Security CVE-2025-67779 React Patch Availability
img of React2Shell (Part 2): Surviving the New React DoS (CVE-2025-55184)

The dust had barely settled. Security teams worldwide were still in the trenches, patching the catastrophic “React2Shell” (CVE-2025-55182) Remote Code Execution vulnerability, when the ground shifted again. In the high-stakes world of cybersecurity, critical disclosures rarely come alone; they act as a beacon for researchers and threat actors alike to scrutinize adjacent code paths. The scrutiny has yielded a new, formidable threat: CVE-2025-55184, a High-Severity Denial of Service (DoS) vulnerability that threatens to take your applications offline.

While React2Shell allowed attackers to steal the keys to the castle, this new vulnerability allows them to burn the castle down. It exploits the same fragility in the React Server Components (RSC) “Flight” protocol but targets the server’s availability rather than its integrity. With millions of automated scanning attempts already detected by Cloudflare, and an initial patch that proved incomplete (leading to yet another CVE), the situation remains volatile. This is not the time for complacency; it is time for a second wave of immediate remediation.

What to Remember

  • It’s Not RCE, It’s DoS: Unlike React2Shell, CVE-2025-55184 does not grant shell access. Instead, it triggers an infinite loop that hangs the server process, causing a total Denial of Service.
  • The “Double Patch” Trap: The initial fix for this DoS was incomplete, leading to a third vulnerability, CVE-2025-67779. You must upgrade to the very latest versions (e.g., 19.0.3+) to be safe.
  • Unauthenticated Vector: An attacker does not need to log in. A single, specially crafted HTTP request sent to an RSC endpoint can lock up the server’s event loop.
  • Active Exploitation: Cloudflare has observed massive scanning activity targeting these RSC flaws, with traffic peaking at over 12 million hits per hour.
  • Frameworks Affected: If you use React, Next.js App Router, Waku, or any bundler supporting RSC (Webpack, Turbopack, Parcel), you are likely exposed.

The Mechanics of the Crash: Inside CVE-2025-55184

To understand this vulnerability, we must look deeper into the architecture of React Server Components. RSC allows the server to render components and send them to the client using a specialized serialization format known as the “Flight” protocol. This protocol handles complex data structures, including Promises, which are essential for asynchronous server operations.

The vulnerability resides in the unsafe deserialization of these payloads.

The Infinite Loop Trigger

CVE-2025-55184 creates a scenario where the React runtime attempts to unwrap a malformed payload containing cyclical Promise references. When the server receives this crafted request, the deserialization logic enters an infinite recursion loop.

In a Node.js environment, which is single-threaded, an infinite loop is catastrophic. It causes an Event Loop Lockup. The server process consumes 100% of the CPU trying to resolve the cycle and ceases to process any new incoming requests. The application doesn’t just slow down; for all intents and purposes, it dies.

Why This Matters (Availability vs. Confidentiality)

Security teams often deprioritize DoS bugs in favor of RCEs. This is a mistake in the context of RSC. Because React Server Components often power the entire frontend delivery mechanism (via frameworks like Next.js), a DoS here renders the entire website inaccessible. There is no “graceful degradation” if the server process responsible for rendering the UI is hung.

The Patching Whack-a-Mole: CVE-2025-67779

The timeline of this disclosure highlights the complexity of fixing deserialization flaws.

  1. Dec 3: React2Shell (RCE) is disclosed.
  2. Dec 3-5: Researchers attempting to bypass the RCE patch discover the DoS vector (CVE-2025-55184).
  3. Dec 6-10: React team issues a patch (versions 19.0.2, 19.1.3, etc.).
  4. Dec 11: Researchers discover the patch is incomplete. The fix prevents specific cycles but misses others. This leads to CVE-2025-67779 (CVSS 7.5).

Crucial Warning: If you patched your systems on December 8th or 9th, you are likely still vulnerable. You may have installed the intermediate versions (e.g., 19.0.2) which are now flagged as insecure. You must verify you are on the definitive fix versions released on or after December 11th.

The Side-Channel: Source Code Exposure (CVE-2025-55183)

Alongside the DoS threat, researchers uncovered a Medium-severity information leak, tracked as CVE-2025-55183 (CVSS 5.3). While less critical than the DoS, it provides attackers with intelligence that can facilitate further attacks.

This flaw exploits Server Functions—functions meant to run exclusively on the server. If a Server Function accepts an argument that undergoes string coercion (e.g., used in a template literal) without validation, an attacker can manipulate the input to force the function to return its own source code.

The Risk:

  • Exposure of business logic.
  • Leakage of hardcoded secrets or API keys (if bad practices were followed inside the function).
  • Insight into backend architecture to craft better exploits.

Threat Intelligence: Exploitation in the Wild

Data from Cloudflare’s Cloudforce One team paints a grim picture of the internet’s reaction to these disclosures. The window between disclosure and exploitation has effectively closed.

  • Massive Volume: Following the initial React2Shell disclosure, Cloudflare recorded over 582 million hits on their WAF rules related to these RSC vulnerabilities.
  • Automated Scanning: Threat actors are using tools like Nuclei and custom scanners (identified by User-Agents like React2ShellScanner/1.0.0) to probe for vulnerable RSC endpoints.
  • Payload Variation: Attackers are fuzzing the Flight protocol with payloads ranging from a few bytes to 375 MB, attempting to find edge cases that trigger crashes or bypass WAF rules.
  • Targeting: The activity is not random. It is heavily concentrated on high-value targets in Government (.gov), Critical Infrastructure, and Tech sectors, with significant traffic originating from Asia-nexus threat groups.

1. Identify and Upgrade Packages

You need to check for react, react-dom, react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack.

The Safe Versions (Patch Immediately):

  • v19.0.x Branch: Upgrade to 19.0.3
  • v19.1.x Branch: Upgrade to 19.1.4
  • v19.2.x Branch: Upgrade to 19.2.3

Note: Versions 19.0.2, 19.1.3, and 19.2.2 are the “incomplete” patches and are unsafe.

2. Update Frameworks

If you are using Next.js, you generally do not manage the react-server-dom packages directly. You must update Next.js itself.

  • Next.js: Upgrade to the latest patch release of your major version (e.g., Next.js 14 or 15) released after December 11, 2025. Verify in your package-lock.json that the underlying React dependencies match the safe versions listed above.

3. WAF Configuration

  • Cloud Armor GCP: Apply a pre-defined rule set that includes protections.
   (has(request.headers['next-action']) || has(request.headers['rsc-action-id']) ||request.headers['content-type'].contains('multipart/form-data') || request.headers['content-type'].contains('application/x-www-form-urlencoded') )&& evaluatePreconfiguredWaf('cve-canary',{'sensitivity': 0, 'opt_in_rule_ids': ['google-mrs-v202512-id000001-rce', 'google-mrs-v202512-id000002-rce']})
  • Cloudflare Users: Ensure the Managed Ruleset is enabled. Cloudflare has deployed rules (e.g., Rule ID 2694f1610c0b471393b21aef102ec699 for the DoS) to block malformed RSC payloads.
  • Other WAFs: Look for rules blocking cyclical patterns in POST bodies sent to RSC endpoints (often /_next/data or next-actions headers).

4. Verify Transitive Dependencies

The vulnerability might exist in a third-party UI library or bundler plugin you use. Run a comprehensive audit:

   npm audit
# or
yarn audit

Ensure no nested dependencies are holding onto the vulnerable 19.0.2/19.1.3 versions.

Conclusion: The Fragility of Modern Serialization

The cascade of vulnerabilities from React2Shell to CVE-2025-55184 serves as a stark reminder of the complexity inherent in modern web architectures. React Server Components represent a paradigm shift, blurring the line between client and server. This “Flight” of data across the boundary relies on serialization protocols that are notoriously difficult to secure.

Today, the threat is a server crash. Tomorrow, it could be another bypass. The only viable defense strategy is agility—the ability to detect vulnerable components and deploy patches across your infrastructure within hours, not days. If your servers are still running last week’s React patch, you are living on borrowed time.

To further enhance your cloud security, contact me on LinkedIn Profile or [email protected].

Frequently Asked Questions (FAQ)

What is the difference between CVE-2025-55184 and CVE-2025-67779?

CVE-2025-55184 is the original denial of service vulnerability caused by infinite loops during React Server Components deserialization. CVE-2025-67779 is the follow-up CVE assigned because the initial fix for 55184 was incomplete and some cyclical promise patterns could still trigger a lockup. Upgrading to the latest fixed versions that address 67779 is required to be fully safe.

Does this vulnerability affect my site if I don't use Server Actions?

Yes. Even if you do not explicitly use Server Actions or Server Functions, applications that support React Server Components (for example, Next.js App Router defaults) still expose the deserialization endpoints that can be targeted by an attacker.

Can this vulnerability lead to data theft?

CVE-2025-55184 is an availability issue and is primarily used to crash or hang the server. However, the related CVE-2025-55183 involves source code exposure, which can enable follow-on compromise if secrets are hardcoded or sensitive logic is revealed.

How do I know if I am being attacked?

Common signals include sudden spikes to 100% CPU, Node.js processes becoming unresponsive, and an unusual volume of requests to React Server Components endpoints (for example, routes under _next with RSC-related headers) with varying or unusually large payload sizes, often causing timeouts for legitimate users.

Is React Native affected?

Usually no. Standard React Native mobile apps do not expose the React Server Components runtime. You are only at risk if your setup includes react-server-dom packages as part of a web or monorepo deployment that serves React Server Components endpoints.

Resources

William OGOU

William OGOU

Need help implementing Zero Trust strategy or securing your cloud infrastructure? I help organizations build resilient, compliance-ready security architectures.

Connect on LinkedIn