In addition to the vulnerabilities previously published, React has disclosed new vulnerabilities affecting applications using React Server Components.

• Denial of Service (DoS) — High severity, CVSS 7.5
   CVE-2025-55184, CVE-2025-67779: Crafted requests can exhaust server resources, causing hangs or service unavailability.
  
  
• Source Code Exposure — Medium severity, CVSS 5.3
   CVE-2025-55183: Specially formed requests may lead to disclosure of server-side source code

These issues affect the same React Server Components request handling surface as React2Shell (CVE-2025-55182) but do not enable remote code execution. The previously released React2Shell fixes continue to prevent RCE, while these new vulnerabilities impact availability and confidentiality.

Recommendations:
Upgrade to the latest patched React versions and review the exposure of React Server Components endpoints.

Wallarm mitigation:
To protect customers who aren’t using blocking mode across all apps and APIs, Wallarm has rolled out a virtual patch that blocks exploitation regardless of whether customers use blocking or monitoring mode. Please contact support if you’d like to opt out.