Following the previously disclosed React2Shell remote code execution vulnerabilities (React: CVE-2025-55182, Next.js: CVE-2025-66478, CVSS 10.0), additional security issues were identified in React Server Components (RSC) during post-patch analysis. 

Three new vulnerabilities were disclosed:

  • CVE-2025-55184 (CVSS 7.5) allows a pre-authentication denial-of-service condition in which specially crafted requests can trigger infinite processing loops on the server. 
  • CVE-2025-67779 (CVSS 7.5) was found to be an incomplete fix for CVE-2025-55184, meaning some versions previously believed to be patched remain vulnerable. 
  • CVE-2025-55183 (CVSS 5.3) can cause Server Functions to return compiled source code, potentially exposing hardcoded secrets.

These issues do not introduce a new RCE vector, but they do require an additional upgrade, even in environments that already patched React2Shell. 

Vulnerable React components include versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1 and 19.2.2 of react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack. These vulnerable components are included in Next.js using App Router with versions ≥13.3, 14.0.x, 14.1.x, ≥15 and ≥16. Other frameworks utilizing the above mentioned React components or depend on RSC may also be vulnerable.

Users of the affected React packages should upgrade to 19.0.3, 19.1.4, or 19.2.3 (Source: React). 

Next.js users should upgrade to the latest patched release for their branch, including 14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 16.0.10, or newer canary versions (Source: Next.js). 

Other frameworks utilizing the above mentioned React components or depend on RSC may also be vulnerable.

How can Orca help?

The Orca Cloud Security Platform continuously scans for vulnerabilities in your cloud environments, including AWS, Azure, Google, Kubernetes, and others. When Orca finds a vulnerability, it will immediately create an alert and assign a risk score by considering the full contextual picture of the risk and the surrounding cloud environment so teams know which vulnerabilities need to be patched first.

The Orca Platform displays trending vulnerabilities in the “From the News” widget of the Orca dashboard. Users can see if their environment is vulnerable to the vulnerabilities and how to remediate them.

A screenshot of the “From the News” widget in the Orca Platform
The “From the News” widget in the Orca Platform

Learn more

If you’re interested in learning more about the Orca Platform and how it can help you protect against vulnerabilities, schedule a personalized 1:1 demo.