React, Next.js disclose follow-up vulnerabilities, again urge users to patch immediately
Web server admins must scramble to update their backend servers again after React and Next.js disclosed two additional follow-up vulnerabilities related to last week’s discovery of a critical bug.
React is once again urging developers to update immediately, as researchers have discovered two additional vulnerabilities in React Server Components while testing the previous patch. These bugs also affect Next.js, and likely other popular React frameworks.
The flaws are not as serious as the critical “worst case scenario” bug, disclosed last week, and do not allow for remote code execution. However, they enable attackers to perform denial-of-service attacks and expose source code.
“The patches published earlier are vulnerable,” the React team warns.
“If you already updated for the Critical Security Vulnerability last week, you will need to update again.”
The advisories explain that it’s quite trivial for attackers to abuse newly discovered bugs, and React urges immediate action.
The team explains that it’s common for subsequent vulnerabilities to be discovered after the critical patches are released.
“When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed,” the team said.
“Even though they do not allow for Remote Code Execution, they are high severity, and you should update (again) immediately.”
What can hackers do?
Due to an incomplete previous fix, the denial of service vulnerability, tracked as CVE-2025-55184, allows attackers to craft malicious HTTP requests, send them to any App Router or Server Function endpoint, and, when deserialized, it will cause an infinite loop “that hangs the server process and prevents future HTTP requests from being served,” Next.js’s advisory explains.
The severity of this flaw was rated 7.5 out of 10.
The second source code exposure vulnerability, tracked as CVE-2025-55183, has a medium severity rating of 5.3 out of 10.
The exploit chain would be similar: the attacker sends a specifically crafted HTTP request to a vulnerable endpoint, which in turn returns the source code of any Server Function.
Next.js warns that leaking compiled source code can reveal business logic and expose hardcoded secrets.
“Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument,” the description states.
The flaws were discovered and disclosed by RyotaK from GMO Flatt Security Inc. and Andrew MacPherson. The technical details of the flaws are intentionally restricted to protect developers who have not yet upgraded.
“Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle,” React said.
Tens of thousands of systems are still vulnerable to the previous critical bug
As of December 11th, the Shadowserver Foundation, a non-profit organization that monitors exposed systems and vulnerabilities, has detected 137,000 systems that are still vulnerable to the critical vulnerability from last week, dubbed React2Shell.
Multiple threat actors have been scanning for these systems and exploiting them with ease, using them to mine cryptocurrency, attack other systems, and more. The global wave of automated attacks is also hammering thousands of smart devices.
“Over 165K IPs and 644K domains with vulnerable code found on 2025-12-08 after scan targeting improvements!” the foundation warned previously.
Most of the systems vulnerable to React2Shell are in the US (88,900), followed by Germany (10,900), France (5,500), India (3,700), and China (2,500).
The Shadowserver Foundation also tracks approximately 1,200 systems that have already been compromised by attackers and remain online.
“Check for compromise and patch!” Piotr Kijewski, CEO at the Shadowserver Foundation, said in an email report.
Unlock more exclusive Cybernews content on YouTube.
