React2Shell Continued: What to know and do about the 2 latest CVEs

December 11th Update: 

Since publishing this blog, it was found that the fix addressing CVE-2025-55184 (outlined below) in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3, and 19.2.2 are affected by allowing unsafe deserialization of payloads from HTTP requests to React Server Function endpoints.  This additional vulnerability is captured in CVE-2025-67779, and you can find the latest React versions here.

In the wake of last week’s critical severity React2Shell CVEs, two new CVEs exploiting similar Next.js and React components were just announced. The latest releases raise the stakes as organizations race to assess impact and reinforce the need for organizations to identify exposure and patch these underlying frameworks.

Are Fastly customers impacted?

First and foremost, if you’re a Fastly customer, you’re likely here trying to understand whether the use of Fastly products exposes you to these vulnerabilities. Our initial assessment remains accurate today: Fastly’s platform and apps are not vulnerable at this time.

Please keep in mind, though, that while Fastly isn’t impacted, your organization must assess internal exposure independently.

What’s React2Shell and what are the latest CVEs related to it?

If you’re just getting up to speed on all things React2Shell, we have a running blog that covers everything you need. 

A quick TLDR – two critical CVEs (CVE-2025-55182 and CVE-2025-66478) impacting newer versions of Next.js and React components were announced on December 3rd. These CVEs (now referred to together as React2Shell) offer attackers pre-auth remote code execution (RCE) – exposing a proverbial goldmine of sensitive data, critical authorization keys, and much more if actually exploited. Attackers have a a massive scale.

Since the React2Shell announcement, Fastly and the broader security community have been working hand-in-hand to create virtual patches, share data, and reaffirm to the world that organizations must identify and update their React and Next.js applications as soon as possible, and apply proactive protections to preempt attack attempts.

So what changed?

On December 11, two new related CVEs were announced – CVE-2025-55183 and CVE-2025-55184. These vulnerabilities exploit similar Next.js and React Server Components but to different ends: Function Source Code Exposure (an information leak) and Denial of Service (DoS), rather than remote code execution. 

These new CVEs may not be as severe as the aforementioned React2Shell CVEs; however, with these vulnerabilities now publicly disclosed, attackers who are already probing for the prior CVEs can now just as easily attempt to abuse the latter.

What is CVE-2025-55183?

Attackers can exploit CVE-2025-55183 to reveal the source code of a React Server Function (RSF) – but not the source code of the entire application. Thus, this CVE is likely not a high-impact issue unless:

1. You are using React Server Components.

2. You have sensitive or proprietary information contained in React Server Function (RSF) source code.

Based on our analysis, attackers could primarily use this CVE for reconnaissance, but would require other CVEs (and requisite exploits) to gain deeper access or arbitrary control over the application (as achievable with React2Shell).

Regardless, we strongly recommend against hardcoding secrets anywhere in your application, including RSFs. If you use RSFs, perform an immediate audit to ensure you do not have any proprietary or sensitive data in the source code of your function(s).

What is CVE-2025-55184?

This CVE facilitates a DoS in which an attacker can force a vulnerable application server into an infinite loop by crafting a specific request. If you do not have autoscaling or autorestarts in place, an attacker could send a specific pattern of requests to force your application server into an infinite loop, consuming CPU and staying down until the application is recovered.

Beyond upgrading your application to the patched version, modern infrastructure practices may also increase your applications’ resilience to the impact of CVE-2025-55184.  Any autoscaling setup (like Kubernetes) that handles downed instances, hung servers, and traffic bursts will not fully mitigate the bug, but it may lessen the impact. If you use autoscaling or autorestarts, your application server may “survive” the attacker’s DoS request – unless they attempt it again, or across all instances of your application at once.

What now – How to mitigate all four React2Shell CVEs

Fastly continues to see a high sustained volume of React2Shell activity, and we expect to see attackers swiftly experiment with these two new CVEs as well. While we will continue sharing insights as much as possible, it’s important to keep in mind that any organization with vulnerable apps – no matter the industry or region – should assume attackers are already probing them at a minimum, and likely trying to exploit them.

What should your next steps be?

The highest priority for organizations remains to assess exposure and upgrade to patched versions of React and Next.js. While upgrading your systems is the only reliable way to mitigate all four CVEs related to React2Shell, Fastly’s Next-Gen WAF and Bot Management solutions offer Virtual Patches and more to help block attacks while you assess exposure and push updates as needed. 

Our team is ready to help you however we can. Reach out to us at CVE-alert@fastly.com for immediate onboarding and protection while you work to deploy patches.