Following the critical “React2Shell” disclosure earlier this month, three additional vulnerabilities were identified in React Server Components (RSC). These new flaws, carry high severity and widespread impact, requiring immediate developer action. As these new flaws allow an attacker to cause Denial of Service (DoS) or leak server-side source code.
Affected Environments:
CVE202555184 and CVE202567779: Incomplete Patch → Denial of Service (DoS)
CVE202555183: Source Code Exposure
Upgrade Immediately to patched versions:
|
Release Line |
Minimum Patched Version |
|
≥ 13.3 |
14.2.35 |
|
15.0.x |
15.0.7 |
|
15.1.x |
15.1.11 |
|
15.2.x |
15.2.8 |
|
15.3.x |
15.3.8 |
|
15.4.x |
15.4.10 |
|
15.5.x |
15.5.9 |
|
15.x canary |
15.6.0-canary.60 |
|
16.0.x |
16.0.10 |
|
16.x canary |
16.1.0-canary.19 |
Re-patch even if previously updated: for React2Shell: the earlier fix was incomplete, so prior upgrades must be followed by this new update.
Verify environment hygiene: Ensure secrets are injected via environment variables and not hardcoded in server functions to mitigate source-code leaks.
Monitor systems for DoS symptoms: infinite loops, stalled endpoints.
Audit network activity: Look for unusual HTTP requests to App Router endpoints.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.